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Preface 


ASIACRYPT 2006 was held in Shanghai, China, during December 3-7, 2006. 
This was the 12th annual ASIACRYPT conference, and was sponsored by the 
International Association for Cryptologic Research (IACR), in cooperation with 
the State Key Labs of Information Security, Chinese Academy of Sciences (LOIS), 
Lab for Cryptography and Information Security, Shanghai Jiaotong University 
(CIS/SJTU) and Natural Science Foundation of China (NSFC). 

This year we received a record number of 314 submissions, of which 303 regu- 
lar submissions were reviewed by 32 members of the Program Committee, with 
the help of 250 external referees. After a two-month review process, the Program 
Committee selected 30 papers for presentation. This volume of proceedings con- 
tains the revised version of the 30 selected papers. The IACR 2006 distinguished 
lecture by Ivan Damgaard was also in the program. The paper “Finding SHA-1 
Characteristics” by Christophe De Canniere and Christian Rechberger received 
the best paper award. 

The reviewing process was a challenging task, and we had to reject many good 
submissions that could have been accepted under normal circumstances. I am 
very grateful to Program Committee for their efforts to carry out this challenging 
task and to keep the high standard of ASIACRYPT conferences. We gratefully 
acknowledge our 250 external referees; without their help it would be infeasible 
to provide 1008 high-quality, often extensive, reviews. More importantly, I would 
like to thank all the authors who submitted their work to ASIACRYPT 2006. 

This year submissions were processed using Web-based software iChair, and 
would like to thank Thomas Baigneres, Matthieu Finiasz and Serge Vaudenay 
for providing this valuable tool. I am grateful to Ruimin Shen for his generous 
and indispensable support and I would like to thank Changzhe Gao, Haining Lu 
and Jingjing Wu for the smooth operation of our Web-sites. 

I would also like to thank the General Chair, Dingyi Pei, for organizing the 
conference and the Organization Chair, Kefei Chen, for taking over all the hard 
tasks and preparing these proceedings. 

Last but not least, my thanks to all the participants of the ASIACRYPT 2006 
conference. 


September 2006 


Xuejia Lai 
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Finding SHA-1 Characteristics: 
General Results and Applications 


Christophe De Canniere 1,2 and Christian Rechberger 1 
1 Graz University of Technology 

Institute for Applied Information Processing and Communications 
Inffeldgasse 16a, A-8010 Graz, Austria 
2 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, 
Kasteelpark Arenberg 10, B-3001 Heverlee, Belgium 
{Christophe . DeCanniere , Christian . Rechberger}@iaik . tugraz . at 


Abstract. The most efficient collision attacks on members of the SHA 
family presented so far all use complex characteristics which were man- 
ually constructed by Wang etal. In this report, we describe a method to 
search for characteristics in an automatic way. This is particularly useful 
for multi-block attacks, and as a proof of concept, we give a two-block 
collision for 64-step SHA-1 based on a new characteristic. The highest 
number of steps for which a SHA-1 collision was published so far was 58. 
We also give a unified view on the expected work factor of a collision 
search and the needed degrees of freedom for the search, which facili- 
tates optimization. 


1 Introduction 

Shortcut attacks on the collision resistance of hash functions are usually differ- 
ential in nature. In the differential cryptanalysis of block ciphers, characteristics 
with arbitrary starting and ending differences spanning less than the full num- 
ber of rounds and having a sufficient high probability allow key recovery attacks 
faster than brute force. This contrasts the situation in the case of collision at- 
tacks on hash functions. Here characteristics of sufficiently high probability need 
to start and end with chaining input and output difference being zero, injected 
differences (via the message input) are expected to cancel out themselves. 

Members of the MD4 hash function family like the widely used SHA-1 mix 
simple building blocks like modular addition, 3-input bit-wise Boolean functions 
and bit-wise XOR, combine them to steps and iterate these steps many times. 
High probability characteristics which are needed for fast collision search attacks 
exploit situations where differences with respect to one operation propagate with 
high probability through other building blocks as well. As an example, an XOR 
difference in the most significant bit of a word propagates with probability one 
through a modular addition. The best characteristics for SHA-1 are constructed 
such that these and similar effects are maximized. However they do not fulfill the 
requirement of zero differences at the chaining inputs/outputs which makes them 
not directly usable for fast collision search attacks. Earlier work on SHA-1 [2,13] 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 1-20, 2006. 
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therefore consider characteristics which fulfill this requirement at the cost of a 
less optimal probabilities. 

However, the fact that an attacker has complete control over the message 
input, and thus control over the propagation of all differences in the first steps, 
gives more freedom in the choice of good characteristics. Roughly speaking, the 
probability of complex characteristics spanning the first steps which connect 
to a desired high probability characteristic does not affect the performance of a 
collision search. Hence, finding these complex connecting characteristics helps to 
improve the performance of collision search attacks. In the case of SHA-1, finding 
such characteristics made differential collision search attacks on the full SHA-1 
possible in the first place. To reflect the fact that the desired characteristics to 
connect to have usually probability one in a linearized model of the hash function, 
they are referred to as L- characteristics. The connecting characteristics do not 
have this property, hence the name NL- characteristics. 

So far, little is known about the construction of these connecting NL-char- 
acteristics. Wang etal. describe in their seminal paper [20] an approach which is 
based on following and manipulating differences manually [23] in combination 
with a great deal of experience and intuition. Follow-up work on SHA-1 [16] as 
well as on MD4 [9], MD5 [3,7,8,15] and SHA-0 [10] all build up on the char- 
acteristics given in the papers of Wang etal. [17,20,21,22]. The only exception 
is recent work by Schlaffer and Oswald [14] on the conceptually much simpler 
MD4, where an algorithm for finding new characteristics given the same mes- 
sage difference as originally used by Wang etal. is reported. No one succeeded 
so far in showing a similar ability in the case of SHA-1. By employing a new 
method and using SHA-1 as an example, we show in this article that finding 
useful NL-characteristics is also possible in more complex hash functions. 

As shown in informal presentations by Wang [18,19], the actual shape/design 
of these connecting NL-characteristics interacts with speed-up techniques at the 
final-search stage. These techniques are referred to as message modification tech- 
niques and little details about them in the context of SHA-1 are publicly known 
so far. To sum up, two important methods (finding connecting NL-characteristics 
and message modification) are not fully understood, but heavily affect the actual 
collision-search complexity. Therefore, it currently seems impossible to reason 
about the limits of these techniques, other than improving on the current results 
in an ad-hoc manner. Hence the need for automated search tools as the one 
presented in this paper. 

Looking at the recent results of Wang etal. on SHA-1, we see that more de- 
grees of freedom are needed for speedup-purposes. As mentioned in [18], message 
conditions and state variable conditions need to be fulfilled for that purpose. It 
is observed that “the available message space is tight”, which refers to the re- 
maining degrees of freedom. 

The new view we propose unifies finding complex characteristics and speeding 
up the final search phase. By calculating the expected number of collisions, given 
the degrees of freedom, we tackle questions related to optimization. If the goal is to 
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find one collision, why should the used method allow to find more than that? The 
new view gives an attacker the ability to exploit all available degrees of freedom. 

The remainder of the paper is structured as follows. Subsequently we define 
some notation in Table 1. A short description of SHA-1 is given in Sect. 2. We 
tackle the core of the problem in Sect. 3, where we revisit the approach of finding 
collisions based on differential techniques. To do that, we generalize the concept 
of characteristics and introduce a new way to calculate the expected work to 
find a collision. Some examples are given there to illustrate the new concept. 
Based on that, in Sect. 4 we finally describe a way to automatically find the 
complex NL-characteristics needed. Also there we give examples which illustrate 
its behavior. As an application of the described technique, we give a two-block 
64-step SHA-1 colliding message pair including all used characteristics in Sect. 5. 
Sect. 6 puts our contribution into the context of related and previous work. We 
conclude and survey future work in Sect. 7. 

Table 1. Notation 


notation 

description 

X®Y 

bit-wise XOR of X and Y 

AX 

difference with respect to XOR 

X + Y 

addition of X and Y modulo 2 32 

sx 

difference with respect to modular addition 

X 

arbitrary 32-bit word 

Xi 

value of the i-th bit 

X 2 

pair of words, shortcut for ( X , X*) 

Mi 

input message word i (32 bits) 

Wi 

expanded input message word t (32 bits) 

ICn 

bit-rotation of X by n positions to the left, 0 < n < 31 

X^>n 

bit-rotation of X by n positions to the right, 0 < n < 31 

N 

number of steps of the compression function 


2 Short Introduction to SHA-1 

SHA-1 [11], as most dedicated hash functions used today, is based on the design 
principles of MD4. First, the input message is padded and split into 512-bit 
message blocks. An 80-step compression function is then applied to each of these 
512-bit message blocks. It has two types of inputs: a chaining input of 160 bits 
and a message input of 512 bits. Let g(m, h) denote the compression function 
with message input m and chaining input h. The chaining input h n+ 1 for the 
next compression function is calculated by h n + g(m,h n ), called feed forward. 
The chaining variables for the first iteration are set to fixed values (referred to 
as IV). The result of the last call to the compression function is the hash of the 
message. The compression function basically consists of two parts: the message 
expansion and the state update transformation. 
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Message Expansion. In SHA-1, the message expansion is defined as follows. 
The message is represented by 16 32-bit words, denoted by M*, with 0 < i <15. 
In the message expansion, this input is expanded linearly into 80 32-bit words 
IT,;. The expanded message words IT; are defined as follows: 


I 


Mi, 

(IT-3 © Wi-g © Wi-u © Wi-ie) <§C 1 


for 0 < i < 15, 
for 16 < i < 79 . 


(1) 


State Update Transformation. The state update transformation starts by 
copying the chaining input into the five 32-bit state variables A, . . . ,E, which 
are updated in 80 steps (0, . . . , 79) by using the word IT and a round constant 
Ki in step i. A single step of the state update transformation is shown in Fig. 1. 
The function / in Fig. 1 depends on the step number: steps 0 to 19 (round 1) 



Fig. 1. One step of the state update transformation of SHA-1 


use fiF and steps 40 to 59 (round 3) use J'maj- The function fxoR is applied 
in the remaining steps (round 2 and 4). The functions are defined as: 

fi F (B,C,D) = BAC ®BaD (2) 

f M Aj(B,C,D) = BAC®BAD®CAD (3) 

fxon(B,C,D) = B®C®D . (4) 

Note that B t = Aj_i, Ci = A,_ 2 ^>2 , A = ^>2, = Aj_ 4 2. This 

also implies that the chaining inputs fill all Aj for — 4 < j < 0. Thus it suffices to 
consider the state variable A, which we will for the remainder of this paper. 

3 Collision Attacks Revisited 

The objective of this paper is to develop a method to find SHA-1 characteristics 
which are suitable for collision attacks. However, in order to solve this problem, 
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we first have to determine exactly what ‘suitable’ means in this context. In 
this section, we will therefore consider collision attacks and characteristics in a 
general setting, and analyze how the choice of the characteristic affects the work 
factor of the attack. 

3.1 How Dedicated Collision Attacks Work 

If we are given an n-bit hash function whose output values are uniformly dis- 
tributed and use it to hash an arbitrary pair of messages, then we expect the 
hash values to collide with a probability of 2 -n . Hence, without knowing anything 
about the internals of the hash function, we should be able to find a collision 
after trying out 2” pairs. Since any set of 2” pairs will do, this approach can be 
turned into a birthday attack requiring only 2'"/ 2 hash evaluations. 

Instead of testing arbitrary pairs, dedicated collision attacks try to use the 
internal structure of the hash function to locate a special subset of message pairs 
which (1) are considerably more likely to collide than random pairs, and (2) can 
efficiently be enumerated. A particularly effective way to construct such subsets 
is to restrict the search space to message pairs with a fixed difference. The 
goal is to pick these differences in such a way that they are likely to propagate 
through the hash function following a predefined differential characteristic which 
eventually ends in a zero difference (a collision) . 

As was observed in [4], the probability for this to happen can be increased 
by restricting the subset even further and imposing conditions not only on the 
differences but also on the values of specific (expanded) message bits. Moreover, 
since the internal variables of a hash function only depend on the message (and 
not on a secret key as for example in block ciphers), we can also restrict the set 
of message pairs by imposing conditions on the state variables. Depending on 
their position, however, these conditions might have a considerable impact on 
the efficiency to enumerate the messages fulfilling them. This important point is 
analyzed in detail in Sect. 3.3. 

3.2 Generalized Characteristics 

In order to reflect the fact that both the differences and the actual values of bits 
play a role in their attack, Wang et al. already extended the notion of differential 
characteristics by adding a sign to each non-zero bit difference (1 or —1). In 
this paper we generalize this concept even further by allowing characteristics to 
impose arbitrary conditions on the values of pairs of bits. 

The conditions imposed by such a generalized characteristic on a particular 
pair of words X 2 will be denoted by XX. It will turn out to be convenient 
to represent XX as a set, containing the values for which the conditions are 
satisfied, for example 

XX = {X 2 | xy ■ = 0, Xi = x* for 2 < i < 6, x\ ^ x\, and xq = = 0} . 

In order to write this in a more compact way, we will use the notation listed in 
Table 2. Using this convention, we can rewrite the example above as 
VX = [7? xO] . 
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Table 2. Possible conditions on a pair of bits 


(Xi,Xi*) 

(0,0) (1,0) (0,1) (1,1) 


(0,0) (1,0) (0,1) (1,1) 

? 

✓ 

/ 

/ 

/ 

3 

/ 

/ 



- 

/ 



/ 

5 

/ 


/ 


X 


/ 

/ 


7 

/ 

/ 

/ 


0 

/ 




A 


/ 


/ 

u 


/ 



B 

/ 

/ 


/ 

n 



/ 


C 



/ 

/ 

1 




,/ 

D 

/ 


/ 

/ 

# 





E 


/ 

/ 

/ 


A generalized characteristic for SHA-1 is then simply a pair of sequences 
VA_ 4 , . . . , VAjv and VW 0 , • • • , VWjv-i- 

3.3 Work Factor and Probabilities 

Let us now assume that we are given a complete characteristic for SHA-1, spec- 
ified by VA_ 4 , . . . , VA,y and VWo, . . . , VfFy-i ■ Our goal is to estimate how 
much effort it would take to find a pair of messages which follows this charac- 
teristic, assuming a simple depth-first search algorithm which tries to determine 
the pairs of message words Mf one by one starting from M§. 

In order to estimate the work factor of this algorithm, we will compute the 
expected number of visited nodes in the search tree. But first we introduce some 
definitions. 

Definition 1. The message freedom Fw(i) of a characteristic at step i is the 
number of ways to choose Wf without violating any (linear) condition imposed 
on the expanded message, given fixed values Wj for 0 < j <i. 

We note that since the expanded message in SHA-1 is completely determined 
by the first 16 words, we always have F\y (i) - 1 for i > 16. 

Definition 2. The uncontrolled probability P u (i) of a characteristic at step i 
is the probability that the output Af +1 of step i follows the characteristic, given 
that all input pairs do as well, i.e., 

P u {i) = P (A } +1 1 VA i+ i | e VAi-j for 0 < j < 5, and Wf £ VW;) . 

Definition 3. The controlled probability P c (i) of a characteristic at step i is 
the probability that there exists at least one pair of message words Wf following 
the characteristic, such that the output Af +1 of step i follows the characteristic, 
given that all other input pairs do as well, i.e., 

P c (i ) = P (3Wf £ VWi : Af +1 £ VA i+1 | Af_- £ VA W for 0 < j < 5) . 

With the definitions above, we can now easily express the number of nodes 
N s {i) visited at each step of the compression function during the collision search. 
Taking into account that the average number of children of a node at step i is 
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Fw(i ) • P u (i ), that only a fraction P c (i) of the nodes at step i have any children 
at all, and that the search stops as soon as step N is reached, we can derive the 
following recursive relation: 


N s (i) 




max { N 3 (i + 1) • F w (i) 1 • P u 


if i = 

P~ r (i)} if i<N. 


The total work factor is then given by 


N 

n w = J2n s (z). 


In order to understand what the different quantities defined above represent, 
it might be helpful to walk through a small example. Table 3 shows two hypo- 
thetical search trees with corresponding values of F w , P u , and P c . The nodes 
which are visited by the search algorithm, and hence contribute to the com- 
plexity of the collision search, are filled. Note that the values of P c (i) do not 
always influence the complexity of the attack. The trees in Table 3, however, are 
examples where they do. 

Table 3. How P c affects the search tree 



a Both o and • represent values of Wf_ 1 which lead to a consistent Af\ the nodes 
visited by the search algorithm are filled. Inconsistent values are denoted by Q. 


Let us now illustrate the previous concepts with two examples on 64-step 
SHA-1. In the first example, shown in Table 4, we consider a generalized char- 
acteristic which does not impose any conditions, except for a fixed IV value at 
the input of the compression function and a collision at the output. The values 
of N s (i) in the table tell us that the search algorithm is expected to traverse 
nearly the complete compression function 2 160 times before finding a colliding 
pair (note that from here on all values listed in tables will be base 2 logarithms). 

In the example of Table 5, we force the state variables and the expanded 
message words to follow a given differential characteristic starting from the out- 
put of the 16th step (i.e., A 16 , . . . , E 16 ). How such diffential characterises can be 
found will be explained in Sect. 4. The most significant effect is that the five con- 
secutive uncontrolled probabilities of 2“ 32 in the previous example move up to 
steps 11-15, where their effect on the number of nodes is completely neutralized 
by the degrees of freedom in the expanded message, resulting in a considerable 
reduction of the total work factor. 
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The examples above clearly show that small probabilities have a much larger 
impact on the work factor when they occur after step 16 (where Fw(i ) = 1). 
Therefore, when constructing characteristics, we will in the first place try to 
optimize the probabilities in the second part of the compression function (steps 
16 to N—l), even if this comes at the cost of a significant decrease of probabilities 
in the first part. 

4 Constructing Characteristics 

Having the necessary tools to estimate the work factor corresponding to any 
given generalized characteristic, we now turn to the problem of finding charac- 
teristics which minimize this work factor. 

The search method presented in this section constructs characteristics by it- 
eratively adding more conditions as long as it improves the work factor. During 
this process, two important tasks need to be performed: (1) determining when 
and where to add which condition, and (2) letting conditions propagate and 
avoiding inconsistent conditions. We first discuss the second problem. 

4.1 Consistency and Propagation of Conditions 

When analyzing the interaction of bit conditions imposed at the inputs and 
the outputs of a single step of the state update transformation, three situations 
can occur: (1) the conditions are inconsistent, (2) the conditions are consistent, 
and (3) the conditions are consistent, provided that a number of additional bit 
conditions are fulfilled as well (the conditions are said to propagate). This third 
case is illustrated in Table 6, where the conditions imposed on the expanded 
message words in the previous example propagate to the state variables. It should 
be noted that such consistency checks can be implemented in a very efficient way, 
thanks to the fact that bits at different bit positions only interact through the 
carries of the integer additions. 

4.2 Determining Which Conditions to Add 

In Sect. 3.3 we noted that conditions in a characteristic affect the work factor in 
very different ways depending on the step where they are enforced. This is also 
reflected in the procedure which we are about to propose: in order to determine 
where to add which conditions, we will proceed in a number of distinct stages, 
each of which tries to optimize a specific part of the characteristic. 

Stage 1 . As observed in Sect. 3.3, the work factor of the collision search al- 
gorithm is mainly determined by the shape of the characteristic after step 16. 
Hence, our first goal is to find a high probability differential characteristic, which 
can start with any difference in the state variables after step 16, but ends in a 
zero difference in the last step (later on, when we consider multi-block collisions, 
this constraint will be removed as well). 
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Table 6. Propagation of conditions in Example 2 



VAi 


b'w 

ma 

ma 

N^T) 

0 

1: 

2: 

3: 

01100111010001010010001100000001 


32 

32 

32 

0.00 

0.00 

0.00 

0.00 

0.00 

0.00 

0.00 

0.00 

0.00 









transformation, representing the resulting compression function as a linear code, 
and searching for low-weight vectors (see [5,12,13,20]). 

Once a suitable differential characteristic is found for the linearized variant 
(called an L-characteristic), we determine the corresponding message difference, 
and impose it to our generalized characteristic. The differences in the state vari- 
ables after step 16 are copied in the same way, except that we do not directly 
impose constraints to the most significant and the two least significant bits, but 
instead determine them by propagation. This will avoid inconsistencies caused 
in some cases by the nonlinear /-functions. 

Stage 2. At this point, the largest part of the work factor is most likely concen- 
trated in steps 12 to 16 (see e.g. Table 5), where the state variables, which are 
not constraint in any way in the previous steps, are suddenly forced to follow 
a fixed difference. In order to eliminate this bottleneck, we want to guide the 
state variables to the target difference by imposing conditions to the first steps 
as well. 

Although the probability of this part of the characteristic is not as critical 
as before, we still want the differences to be reasonably sparse. Unfortunately, 
because of the high number of constraints (the message difference and both the 
differences at the input of the first step and at the output of step 16 are fixed 
already), suitable L-characteristics are extremely unlikely to exist in this case. 
In order to solve this problem, we will use a probabilistic algorithm which bears 
some resemblance to the algorithms used to find low-weight code words, but 
instead of feeding it with a linear code, we directly apply it to the unmodified 
(non-linear) compression function. 

The basic idea of the algorithm is to randomly pick a bit position which is 
not restricted yet (i.e., a ‘?’-bit), impose a zero-difference at this position (a 
‘-’-bit), and calculate how the condition propagates. This is repeated until all 
unrestricted bits have been eliminated, or until we run into an inconsistency, in 
which case we start again. The algorithm can be optimized in several ways, for 
example by also picking ‘x’-bits once they start to appear, guessing the sign of 
their differences (‘u’ or ‘n’), and backtracking if this does not lead to a solution. 
It turns out that inconsistencies are discovered considerably earlier this way. 

An interesting property of the proposed procedure is that the sparser a char- 
acteristic, the higher the probability that it will be discovered. The number of 
trials before a consistent characteristic is found, is very hard to predict, though. 
Experiments show that this number can range from a few hundreds to several 
hundreds of thousands. 
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Stage 3. In the final stage, we try to further improve the work factor corre- 
sponding to the characteristic by performing local optimizations. To this end, 
we run through all bit positions of every state variable and every expanded 
message word, check which conditions can be added to improve the total work 
factor, and finally pick the position and corresponding condition which yields 
the largest gain. By repeating this many times, we can gradually improve the 
work factor. The example in Table 7 shows how our previous characteristic looks 
like after applying this greedy approach for a number of iterations. 

An interesting issue here, is when to stop adding new conditions. In order 
to answer this question, we first notice that every additional condition reduces 
the size of the search tree, but at the same time lowers the expected number 
of surviving leaves at step N. In general, the work factor will improve as long 
as the search tree is reduced by a larger factor than the number of surviving 
leaves. At some point, however, the expected number of leaves will drop below 
one, meaning that message pairs which actually follow the characteristic are only 
expected to exist with a certain probability. This is not necessarily a problem if 
we are prepared to repeat the search for a number of different characteristics, 
and in fact, that is exactly how we constructed the second block of the 64-step 
collision presented in the next section. In this case, three different characteristics 
were used, the third of which is shown in Table 10 (notice that the expected 
number of characteristics needed to find one surviving leave can directly be read 
from ATj(O), in this example 2 1 ' 24 sa 3). Coming back to our original question, we 


Table 7. Example 3, after adding conditions to minimize workfactor 
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can conclude that we should in principle continue adding conditions as long as 
the gain in work factor justifies the cost of generating additional characteristics. 

5 Applications 

To illustrate our method, we give a characteristic for a two-block collision of 
SHA-1 reduced to 64 steps with the standard IV. Note that for different initial 
chaining variables, different characteristics might be needed. This is in contrast 
to MD4 or MD5 where good characteristics are possible without having condi- 
tions on the chaining variables. In addition to the characteristic, we also give a 
message pair which follows the described characteristic and collides. Note that, 
to the best of our knowledge, not a single second block characteristics for SHA-0 
or SHA-1 has been presented so far, neither in the literature nor in informal 
public talks. Hence the example we give is the first of its kind. Additionally, 
it is a collision for SHA-1 with the highest number of steps published so far 
(previously known collisions covered up to 58 steps). 

5.1 On the Choice of the Message Difference 

The choice of the message difference determines the high-probability character- 
istics L\ that is followed in the later part of the compression function. This is 
illustrated in Fig. 2. In a first step, only and ’x’ conditions are needed, i. e. we 
only allow XOR-differences. The signs of the differences as well as some values 
of bits are determined in a later stage of the attack. 

As previous work shows [5,12,13,20], it turns out that interleaving so-called 
local collisions (a disturbing and a set of correcting differences) is the best way to 
construct these high-probability characteristics in the case of SHA-1. It turns out 
that these characteristics are L-characteristics. In order to allow for a small work 
factor, we do not put restrictions on the output difference of the compression 
function. Thus, 6h\ will be nonzero. Good L-characteristics for variants of SHA-1 
with other than 80 steps are usually shifted versions of each other. These effects 
have also been considered in previous work, thus we do not expand on this 
issue here. In order to turn such high probability characteristics, which actually 
describe a pseudo-near-collision, into a collision-producing characteristic, NL- 
characteristics are needed. As illustrated in Fig. 2, a first NL-characteristic (NLi j 
is needed to connect from a zero-difference in the chaining variables to L\. After 
the feed-forward of the first block, we expect to have a modular difference +d 
in the chaining variables. 

However, this difference does not fit to the difference needed to directly con- 
nect to the same L-characteristic used in the first block. Regardless of that, we 
want to follow this L-characteristics in the second block again (with the excep- 
tion of different signs for some differences). The reason is that we want to cancel 
out the expected low-weight difference after the last step of the second block 
with the difference that is fed forward. We require 


6g(hi,mi) + 8h\ = 0. 
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Thus, a new NL-characteristic (AT 2 ) for the second block is needed, taking into 
account the difference between Sho and Shi and the actual values at the chaining 
input of the second block. Note that with the ability to find these general NL- 
characteristics NL\ and NL%, collision-producing characteristics covering more 
than two blocks do not improve the work factor. 

In [20,22], examples for NL-characteristics are given which connect to a pre- 
viously selected L-characteristic in the first block. It is commonly assumed that 
finding these NL-characteristics was based on experience and intuition, and done 
manually. Based on Sect. 3 and 4, we describe in the following an application 
for the automatical search for suitable NL-characteristics, which succeeds for the 
first and the second block. 

5.2 A Two-Block Collision for 64-Step SHA-1 

Herein we present a collision for 64-step SHA-1 using two message blocks. Ta- 
ble 9 and 10 detail the used characteristic for the first block and the second block 
respectively (see Sect. 3.2 for an explanation of the notation). Using our current 
(unoptimized) methods, we have an expected work factor of about 2 35 compres- 
sion function evaluations to find it. This compares favorably to the estimate of 
2 36 given in [20]. 

The number of nodes in the tree visited in the search, N w , is given as the 
sum of all N s in Tables 9 and 10. N w relates to the expected work factor in the 
following way. We measured the cost of visiting a node in the search tree to be 
about 2 -5 compression function evaluations. For that, we used as a means of 
comparison the SHA-1 implementation of OpenSSL 0.9.7g, which can do about 
2 19 compression functions per second on our PC. Note that the work factor for 
both blocks is lower than estimated. The reason is that carry differences in the 
last steps can be ignored and that the characteristic of the second block can be 
adjusted to allow additional deviations in the last steps of the first block. 

In Table 8, we give the colliding messages. Note that we do not consider 
padding rules in our example, which would simply mean adding a common block 
to both messages after the collision. At this point we stress that this example 
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Table 8. Example of a 64-step collision using the standard IV 


l 

Message 1 (m 0 ), first block 

Message 1 (mi), second block 

5-8 

9-12 

13-16 

63DAEFDD 30A0D167 52EDCDA4 90012F5F 
0DB4DFB5 E5A3F9AB AE66EE56 12A5663F 
D0320F85 8505C67C 756336DA DFFF4DB9 

596D6A95 0855F129 429A41B3 ED5AE1CD 

3B2AB4E1 AAD112EF 669C9BAE 5DEA4D14 
1DBE220E AB46A5E0 96E2D937 F3E58B63 
BE594F1C BD63F044 50C42AA5 8B793546 

A9B24128 816FD53A D1B663DC B615DD01 

i 

Message 2(mJ), first block 

Message 2 (mf), second block 

5-8 

9-12 

63DAEFDE 70A0D135 12EDCDE4 70012F0D 
ADB4DFB5 65A3F9EB 8E66EE57 32A5665F 
50320F84 C505C63E B5633699 9FFF4D9B 
596D6A96 4855F16B 829A41F0 2D5AE1EF 

3B2AB4E2 EAD112BD 269C9BEE BDEA4D46 
BDBE220E 2B46A5A0 B6E2D936 D3E58B03 
3E594F1D FD63F006 90C42AE6 CB793564 
A9B2412B C16FD578 11B6639F 7615DD23 

i 

XOR-difference are the same for both blocks | 

1-4 

5-8 

9-12 

00000003 40000052 40000040 E0000052 

A0000000 80000040 20000001 20000060 
80000001 40000042 C0000043 40000022 
00000003 40000042 C0000043 C0000022 

00000003 40000052 40000040 E0000052 

A0000000 80000040 20000001 20000060 
80000001 40000042 C0000043 40000022 
00000003 40000042 C0000043 C0000022 


The colliding 

5 hash values 

1-5 

A750337B 55FFFDBB C08DB36C 0C6CFD97 

|A12EFFE0 


serves as a proof of concept for the unified approach to searching for complex 
characteristics and optimizing the characteristic for the final search phase. Hence 
it does not rule out other, probably more efficient ways to speed up the search 
for colliding pairs using the given characteristic. 


6 Comparison with Previous Work 

In order to put our contribution into perspective, we compare it with related 
previous work. 

On finding suitable characteristics. In 1998, the pioneering work of Chabaud 
and Joux [4] resulted in a collision-search attack on an earlier version of SHA-1 
(termed SHA-0). Their attack is based on L-characteristics they found. The Ham- 
ming weight of these characteristics (or a part of them) was used as a rough es- 
timate of the attack complexity. However, the details depend on the positions of 
all differences. For each difference, the sign, the step in which it occurs, the bit- 
position within the word as well as its relative position to neighboring differences 
influence its impact on the attack complexity. A general and practical way to cal- 
culate this impact was described in Sect. 3.3. 

In 2005, Rijmen and Oswald reported an attack on step-reduced SHA-1 [13], 
which is based on L-characteristics as well. Also the complexity of a collision 
search on SHA-0 was improved by Biham and Chen using the neutral-bit tech- 
nique [1], and by Biham etal. using a multi-block approach [2]. Note that the 
attack on SHA-0 [2] employed four message blocks. Using the presented method 
of automatically finding complex characteristics, we eliminate the need for more 
than two blocks for an efficient collision-search attack. 

Recent results of Wang etal. [20,22] describe further major improvements. 
By employing the multi-block technique as described in Sect. 5.1, together with 
the ability to manually find NL-characteristics, attack costs are improved by 
many orders of magnitude. As shown in Sect. 5, our method can be used to 




Finding SHA-1 Characteristics: General Results and Applications 


15 


automatically reach the same goal. This also answers the question left open 
in [16]. Since the NL-characteristic for the second block (NLq) depends on the 
chosen message pair for the first block, this also prevents a manual search for 
new characteristics in the middle of a collision search. 

The only related work which also aims for automatic search for complex char- 
acteristics is by Schlaffer and Oswald [14] on MD4. Their method is very dif- 
ferent from ours. It assumes a fixed differential behavior of the function / and 
limits carry extensions to only a few bit positions to reduce the search space. 
Thus it is not easy to extend it to more complex hash functions since these 
restrictions are too strict. Our method is not restricting anything, but is still 
practical. 

On the cost of the final search. In previous work, the cost of the attack 
is further improved by a technique called message modification. The ideas de- 
veloped in Sect. 3 and 4 can also be used for similar improvements. Both the 
originally published results by Wang et al. [20] as well as work by Sugita et al. [16] 
give rough estimates for the cost of message modification: 2 1 and 2 2 compression 
function evaluations(c s ), respectively. Sugita et al. also give a different trade-off. 
By using Grobnerbasis-methods they reduce the number of trials significantly at 
the cost of increased message modification costs. Overall, this method does not 
lead to improvements in practice. 

Note that for the recently announced but to the best of the authors knowledge 
unpublished improvements of the complexity of the collision search for full SHA- 
1 [18] (from 2 69 to 2 63 ), no message modification costs are given, thus we lack 
comparability here. 

Our approach can be seen as a trade-off towards very fast trials without 
the overhead of expensive message modification. As mentioned in Sect. 5.2, the 
cost of visiting one node in our search is only in the order of 2 -5 c g . Note that 
the neutral-bit technique [1,2] can also be seen as a trade-off in this direction. 
However, as reported in [1], only a small fraction (one out of eight in the simpler 
case of SHA-0) of the trials conforms to a previously selected characteristic. 
Comparing the neutral-bit technique to our method, we observe two differences. 
Firstly, instead of a small fraction, we can be sure that every trial will conform 
to the characteristic we select. Secondly we don’t rely on randomly generating 
message pairs which conform to a previously selected characteristic to bootstrap 
the final search. Instead we can exploit the available degrees of freedom in a 
sensible way. 

On exploiting degrees of freedom. In Sect. 3.3, we described a method 
to calculate the expected number of collisions given a particular characteristic. 
Thus we can make a sensible use of degrees of freedom up to the point where 
we expect to find only one suitable message pair. In fact, also this distinguishes 
our approach from all previous work. 
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Table 10. Third characteristic used for the second block of the 64-step collision 
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7 Conclusions and Future Work 

We described, for the first time, a computer-implementable method to search for 
complex characteristics as needed in the effective cryptanalysis of hash functions 
of the MD4 family like SHA-1. As a proof of concept, we gave the characteristics 
needed for a 64-step two-block collision of SHA-1. Furthermore, for the first time 
an actual collision for 64-step SHA-1 is produced, with an expected work factor 
of 2 35 compression function computations. 

We also tackled issues like work factors or degrees of freedom and put them 
into a precise framework. Thus an optimal exploitation of available degrees of 
freedom gets possible for goals like fast collision search. 

Future work includes optimization of the found characteristics for different 
final search strategies, or the application of the described technique to other 
hash functions. Given the increased design complexity of members of the SHA-2 
family compared to SHA-1, an automatic approach as described in our article 
seems to be highly beneficial for the analysis of these hash functions. 

Given the ability to automatically incorporate some differences from the chaining 
variables at the start of the compression function, applications such as meaningful 
collisions or speeding up techniques like herding attacks [6] are also future work. 
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Abstract. At CRYPT02005, Xiaoyun Wang, Hongbo Yu and Yiqun 
Lisa Yin proposed a collision attack on SHA-0 that could generate a col- 
lision with complexity 2 39 SHA-0 hash operations. Although the method 
of Wang et al. can find messages that satisfy the sufficient conditions 
in steps 1 to 20 by using message modification, it makes no mention of 
the message modifications needed to yield satisfaction of the sufficient 
conditions in steps 21 and onwards. 

In this paper, first, we give sufficient conditions for the steps from 
step 21, and propose submarine modification as the message modifica- 
tion technique that will ensure satisfaction of the sufficient conditions 
from steps 21 to 24. Submarine modification is an extension of the multi- 
message modification used in collision attacks on the MD-family. Next, 
we point out that the sufficient conditions given by Wang et al. are not 
enough to generate a collision with high probability; we rectify this short- 
fall by introducing two new sufficient conditions. The combination of our 
newly found sufficient conditions and submarine modification allows us 
to generate a collision with complexity 2 36 SHA-0 hash operations. At 
the end of this paper, we show the example of a collision generated by 
applying our proposals. 

Keywords: SHA-0, Collision Attack, Message Modification, Sufficient 
Condition. 


1 Introduction 

SHA-0 is the hash function issued by NIST in 1993 [5] . All hash functions must 
hold 3 properties: Pre-image Resistance, Second Pre-image Resistance and Col- 
lision Resistance. Collision Resistance means that it is very hard to find x, y such 
that x ^ y and H(x) = H(y), where H(-) is any hash function. Collision Resis- 
tance is more difficult to keep than any other property. The Collision Resistance 
of SHA-0 was broken recently [2] . This paper uses the term Collision Attack to 
refer to attacks that break Collision Resistance. 

The first collision attack on SHA-0 was proposed by F. Chabaud and A. Joux 
in 1998 [3] . They employed differential attack and used XOR as the differential. 
After that, E. Biham and R. Chen improved [3], and found near collisions [1]. 
Near collision means x, y such that x ^ y and H(x), H(y) differ only by a small 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 21-36, 2006. 
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number of bits. At the rump session of CRYPT02004, the first announcement of 
finding a collision of SHA-0 was made by A. Joux [4]. Details of this attack were 
presented in EUROCRYPT2005 by E. Biham, R. Chen, A. Joux, P. Carribault, 

W. Jalby and C. Lemuet [2]. In 2004, Wang proposed an independent collision 
attack method on SHA-0 [10,11]. Wang’s method uses the differential attack ap- 
proach in which numerical operations are used as the differential. Subsequently, 

X. Wang, H. Yu and Y. Lisa Yin proposed an improved version of Wang’s attack 
[14] . This method has complexity of 2 39 SHA-0 hash operations, and is the most 
efficient collision attack method proposed so far. 

The method of Wang et al. can be divided into 2 phases. In the pre-computation 
phase, a differential path and conditions that indicate that a collision is possi- 
ble are constructed. In this paper, we call these conditions “sufficient conditions” . 
Sufficient conditions define the triggers for ending collision search. In the collision 
search phase, an input message satisfying all sufficient conditions is searched for. 
If this message is found, a collision can be generated. In this phase, message modi- 
fication is used to efficiently find a message that satisfies the sufficient conditions. 

According to Wang et al., in the case of SHA-0, a message satisfying sufficient 
conditions from steps 1 to 20 can be located efficiently by using message modi- 
fication. The specification of SHA-0 states that the messages used in steps 1-16 
are input messages, whereas messages used in steps after 16 are determined by 
message expansion as is defined by the specification of SHA-0. In the method 
of Wang et al., messages satisfying the sufficient conditions in steps 1-16 can, 
with probability 1, be generated by using message modification. Since steps 1-16 
are not affected by the limitations placed on message expansion, it is possible to 
choose values of chaining variables to satisfy all sufficient conditions, and then 
calculate messages that can yield these chaining variables. Regarding the suffi- 
cient conditions in steps 17-20, if these conditions are not satisfied and message 
modification is executed, these sufficient conditions are satisfied with probabil- 
ity of almost 1. Since the steps from 17 are affected by message expansion, the 
message modification in steps after 16 proposed by Wang et al., is executed by 
generating the differential in the step not affected by message expansion. Since 
this differential (We call this differential “transmission differential”) is trans- 
ferred to subsequent steps, sufficient conditions are satisfied by the transferred 
differential. We call this method “transmission method”. Without using these 
methods, the probability that a sufficient condition is satisfied in 1 time is 
For example, suppose there exists 1 condition in step i and the complexity to 
calculate all necessary operations up to step i is j steps. In this case, the number 
of steps needed to ensure the success of step i is 2 j (on average). By using these 
methods, if the complexity of message modification is p steps, the number of 
steps needed to ensure the success of step * is j + \ ■ p (on average). Since we 
choose message modification such that the complexity is p < j, message modi- 
fication reduces the complexity by j — \ - p steps. Therefore, we can efficiently 
locate a collision by using message modification. Note that message modifica- 
tion in the steps after 16 is particularly important in reducing the complexity of 
collision search. 
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Our Results 

Our paper makes 2 contributions. 

1st Result: Wang et al. have not proposed message modification to satisfy 
the sufficient conditions from step 21; their solution is random search. In 
this paper, we propose message modification for steps 21-24. We call this 
proposal “submarine modification” . It takes advantage of the ideas of multi- 
message modification for the MD-family (we call multi-message modification 
for the MD-family “cancel method”) and transmission method (Details are 
described below). Since the same discussion about the complexity of message 
modification made with regard to the proposal of Wang et al., discussed 
above, can be applied to submarine modification, submarine modification can 
more efficiently satisfy the sufficient conditions than random search. Since 
the structure of the MD-family or SHA-1 is very similar to that of SHA-0, 
submarine modification may also be applicable to those hash functions. 

2nd Result: We show that the sufficient conditions given by Wang et al. are 
missing two conditions, and then describe the missing sufficient conditions. 

From the second result, even if a message satisfying all sufficient conditions 
given by Wang et al. is found, collision search does not always succeed. Since 
their conditions are two short, their method will fail with probability |. We 
identify the two missing sufficient conditions and use them with our submarine 
modification proposal to search for a collision. Considering the fact that the 
number of sufficient conditions in steps 21-24 is 4 and given the complexity of 
submarine modification, a computer experiment finds that our method finds a 
collision with complexity 2 36 SHA-0 hash operations. The PC used had a Pen- 
tium4 3.4GHZ CPU(OS: Linux 2.6.9 (Fedora Core 3, Red Hat 3.4.2), Compiler: 
gcc 3.4.2-i386). In the fastest case, a collision was found in 8 hours. The average 
time to find a collision was roughly 100 hours. 

Overview of Our Main Idea: Submarine Modification 

Submarine modification uses two ideas of message modifications, “transmission 
method” and “cancel method”. We can satisfy sufficient conditions for up to 
step 24 by using submarine modification. 

“Transmission method” is the method that can satisfy sufficient conditions 
for up to step 21 of SHA-0 (Wang et al. apply transmission method to sufficient 
condition for steps 17-20. We confirm that transmission method is applicable to 
satisfy sufficient conditions for steps 17-21). Namely, transmission method can 
satisfy sufficient conditions for 5 steps from a start step of transmission. 

“Cancel method” is the method that uses the idea of the local collision. The 
local collision is the method where we create a differential and offset the differ- 
ential in within several. We construct the method that inputs differentials and 
offsets the effects of these differentials before step 16 such that the differential 
(we call this differential “latent differential”) appears again from step 17 due 
to message expansion after the differential is offset. Differentials don’t appear 
for steps between the step where the differential offsets and the step where the 
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latent differential appears. We call these steps “latent period”. We denote the 
number of steps in latent period after step 17 as t. Influence of differentials cre- 
ated before the step where the latent differential appears does not occur. Cancel 
method is the method with which the sufficient condition for the step where 
the latent differential appears is satisfied by using the latent differential. We use 
the idea of cancel method in order to allow the start step of transmission to 
locate between step 17 to step 19. Note that cancel method itself does not use 
transmission of the latent differential. 

The method that we propose in this paper satisfies sufficient conditions for up 
to step 24. If we use transmission method to satisfy sufficient conditions for up 
to step 24, we need to extend the range where the transmission differential can 
be started from step 16 to step 19. We can realize it by using the idea of cancel 
method. Since maximum number of latent period after step 17 for SHA-0 is t = 3, 
we can extent the range of the start step of transmission from step 16 to step 
19 if we adopt the transmission differential as the latent differential. The latent 
differential can be created by using cancel method. Since there exists no influence 
for satisfied sufficient conditions in latent period by using cancel method, and we 
can satisfy sufficient conditions for 5 steps from the start step of transmission 
by applying transmission method. Since this method takes advantage of the 
differentials whose local effects are cancelled in the earlier steps, we call this 
message modification technique “submarine modification” . 

2 Structure of SHA-0 [5] 

SHA-0 is a hash function issued by NIST in 1993. SHA-0 has the Merkle- 
Damgard structure, therefore, it repeatedly applies a compression function. SHA- 
0 input is an arbitrary length message M, and SHA-0 output is 160 bit data 
H(M). If the length of the input message is not a multiple of 512, the message is 
padded to realized a multiple of 512 bits. The padding process is M* = M | (10...0. 
First, 1 is added, and then as many 0’s as are needed. Padded message M* is 
divided into several messages M* each 512 bits long (M* = (Mi||M 2 ||...||M„)). 
These divided messages are input to the compression function. 

hi =compress(Mi,IV) — > h2 = compress(M2, hi) —»•••—> h n =compress(M n , h n - i) 
H(M) = h n 

In this paper, we call the calculation performed in a single run of the compression 
function 1 block. IV in the above expression is defined as («o, bo- Co, do, eo) = 
(0x67452301, 0xe/cda689,0x986adc/e, 0x10325476, 0xc3d2el/0). We next explain 
the structure of the compression function of SHA-0. All calculations in this are 
32-bit. In this paper, we exclude the description of “mod 2 32 ”. 

Procedure 1 . Divide the input message Mj into 32 bit messages too, toi, ...,mi 5 . 
Procedure 2. Calculate m i 6 to TO 79 by m; = Wj _3 ® mis ® m;_ 14 ® m;_ 16 
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Procedure 3. Calculate chaining variables a*, 6j, Cj, di, e* in step i by the fol- 
lowing procedures. 

a* = (a*_i 5) + + e*_i + to*_ i + 

= aj_i,Cj = 6j_i 30, dj = Cj_i,ej = dj_i 

j” denotes left cyclic shift by j bits. Repeat this process 80 times. 
Initial values ao, bo, Co, do, e o for the compression function of the first block 
are IV. ao,bo,co,do,eo for the compression function from the second block 
are the output values of the previous block. Steps 1-20 are called the first 
round. Steps 21-40, 41-60, and 61-80 are the second, third, and fourth rounds, 
respectively, ki is a constant defined in each round. Function / is a boolean 
function defined in each round. The specifications of ki and / are shown in 
Table 1. 


Table 1 . Function / and Constants k in SHA-0 


round 

function/ 

constant ki 

1 

(6 A c) V (-i& A d) 

0x5a827999 

2 

6® c® d 

0x6ed9e6al 

3 

(b A c) V (c A d) V (d A b) 

0x8flbbcdc 

4 

b ®:Ul3| <1 

0xca62cld6 


Procedure 4. (ao + aso> bo + bso, Co + ego, do + dgo , eo + eso) is the output of the 
compression function. 

3 Collision Attack by Wang et al. [8,9, 14, 15] 

The method of Wang et al. is based on differential attack which uses subtraction 
as the differential. If a collision is found on hash function H(-), that is, M, M' 
such that H(M) = H{M'),M ± M' is found, the differential values of M and 
H(M) become AM = M' -M^0, AH(M , M') = H(M') - H(M) = 0. Let * 
and x' be certain values. We write x' — x as Ax, and we call A-r the differential 
value of x. Since the differential value of input message AM ^ 0, differential 
values of the chaining variables of the hash function are not 0. 

The method of Wang et al. first notes differential values. It determines the 
differential values of the chaining variables and the differential value of the in- 
put message so that the output differential value of hash function AH (M, M') 
becomes AH(M,M') = 0 and the differential value of the input message be- 
comes AM 0. However, even if we find a pair of messages M, M' that satisfy 
AM, the output differential value is not always H(M') — H(M) = 0. This can 
happen since the differentials of chaining values from M and M' do not always 
satisfy the differential values of the chaining variables. Therefore, we need to set 
conditions for satisfying the differential values of the chaining variables. We call 
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these conditions “sufficient conditions” . These procedures (deciding the differen- 
tial value of the input message, differential values of the chaining variables and 
sufficient conditions) are pre-computations. 

We start collision search by using the differential value of input message AM 
and sufficient conditions decided in the pre-computation phase. First, we search 
for message M satisfying all sufficient conditions. Next, we calculate M' = M + 
AM. M and M' thus become collision messages, that is, H(M) = H(M'). 
In order to efficiently locate a message that satisfies all sufficient conditions, 
message modification can be used. 


3.1 Message Modification for SHA-0 and MD-Family 

First, we explain message modification for SHA-0, and clarify the range wherein 
message modification can be applied. Next, since we use the idea of cancel 
method, which is originally proposed for MD-family, as part of the proposed 
submarine modification, we explain the procedures of cancel method. 

Message Modification for SHA-0 [14] 

Message modification for SHA-0 can generate messages satisfying all sufficient 
conditions in steps 1-16 with probability of 1. This procedure is shown below. 

— Message Modification for step i (1 < i < 16): 

1. Generate a* satisfying all sufficient conditions for a*. 

2. Calculate Wj_i <— a* — (<Xj_ i 5) — /(fy_i, Cj_i, dj_i) — e,_i — 

Transmission method was proposed by Wang et al as follows. These modifications 
are executed when sufficient conditions are checked and found to be not satisfied. 
In message modification for steps 17-20, differentials are generated in order to 
create a differential on a bit where the sufficient condition that we want to satisfy 
exists. From the specification of SHA-0, since we can freely choose messages only 
for steps 1-16, we input the differential on the message used in up to step 16. 
We then transfer this differential to step 17, which yields the differentials that 
impact the targeted bits in the subsequent steps. 

Multi-message Modification for MD-Family [8,9] 

Multi-message modification for the MD-family (which we call cancel method ) 
involves modifying messages to satisfy the sufficient conditions from step 17 of 
the MD-family. In cancel method, differentials are input in steps which are not 
affected by message expansion, and then cancel the impact of those differentials. 
The differentials that are input appear in step 17 and later steps due to mes- 
sage expansion, and this leads to satisfaction of the sufficient conditions. Cancel 
method does not use the technique where the latent differential transfers. 


3.2 Collision Search for SHA-0 

Collision search is done to locate a message that satisfies all sufficient condi- 
tions; it involves the use of 2 block messages. The sufficient conditions on the 
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first block are set in order to control the differentials of the chaining variables 
on the second block. Since all conditions are conditions of output values, they 
cannot be satisfied by message modification. Therefore, we don’t execute any 
message modification when searching for a message that satisfies all sufficient 
conditions of the first block. Fortunately, since the complexity of message search 
in the first block (2 14 SHA-0 operations) is much smaller than that of the sec- 
ond block (2 39 SHA-0 operations), the complexity of the first block does not 
impact overall complexity. Collision search on the second block is done by using 
message modification. Furthermore, the early stopping technique can be used 
to efficiently find a message that satisfies the sufficient conditions. In the early 
stopping technique, after step 24 is calculated, the sufficient conditions up to 
step 24 are checked to determine whether they are satisfied or not. If all con- 
ditions are satisfied, steps from 25 are calculated. Otherwise, collision search is 
repeated from the first procedure. It is important to remember that this method 
still cannot find a message that is assured of satisfying the sufficient conditions 
in steps 21-24 with probability of almost 1. Submarine modification, proposed 
in this paper, can satisfy the sufficient conditions in steps 21-24 with probability 
of almost 1 . 

Another problem of the existing method is that it is impossible to execute the 
algorithm proposed by Wang et al. since their description of it is incomplete. We 
rectify this omission in Appendix B. 

4 New Message Modification Techniques 

The method of Wang et al. uses message modification to efficiently locate a 
collision. Their method can efficiently generate messages that satisfying the suf- 
ficient conditions up to step 20. However, Wang et al. did not propose message 
modification for subsequent steps. This section studies message modification, 
and proposes message modification so as to satisfy the sufficient conditions in 
steps 21 to 24. In this paper, we call this modification submarine modification. 
Since the structure of SHA-0 is very similar to those of the MD-family or SHA-1, 
submarine modification may also be applicable to those hash functions. 

4.1 Main Idea of Submarine Modification 

Transmission method can be applied to satisfy sufficient conditions for 5 steps 
from the start step of transmission 1 . If we use transmission method to satisfy 
sufficient condition for after step 22, we need to extend the range where the 
transmission differential can be started after step 17. Therefore, we use the idea 
of cancel method in order to extend the range where the transmission differential 
can be started. If we use the latent differential as the transmission differential, we 
can extend the range where the transmission differential can be started to step 
19 followed by the 5 steps. In the case of SHA-0, the maximum number of latent 
period after step 17 is t = 3 2 . As a result, we can satisfy sufficient conditions 

1 We confirm the number of applicable steps by a computer experiment. 

2 By considering a local collision and message expansion, we can find t = 3. 
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for up to step 24 by combining ideas of cancel method and transmission method. 
We use the idea of cancel method to create the latent differential for steps 17-19. 
Since there is no influence for satisfied sufficient conditions in latent period by 
using cancel method, we can satisfy sufficient conditions for 5 steps from the 
start step of transmission by applying transmission method. A brief explanation 
of submarine modification is shown in Figure 1. 


Step Differential 

i 5a =2i - — Input a differential t( 

i+1 Sb,=2J 


1 


Execute procedures canceling the differential 
Differentials of chaining values are 0 


Appear the differential 

v jcorrect f rom the message expansion 

sufficient condition 

Fig. 1. Outline of Submarine Modification 


Remark. In this paper, we apply submarine modification to only the case of 
steps 21-24. However, submarine modification can be also applied to steps 17-20. 
We want to note that submarine modification is not limited to only the case of 
steps 21-24. 


4.2 How to Construct Submarine Modification 

Submarine modification involves inputting and offsetting differentials and trans- 
ferring differentials. The procedure of submarine modification is as follows: 

1. Decide differentials that satisfy a target sufficient condition in step j(j > 17) 
by considering the transfer of differentials. (The idea of transmission method) 

2. Decide the method for inputting and offsetting differentials before step 16 
to yield the necessary differentials in step j.(The idea of cancel method) 


4.3 Proposal of Submarine Modification 

There are 4 sufficient conditions from steps 21 to 24 : 021,4 = 0,20,4 (or 021,4 7^ 

0 20. 4) , 0122,2 = 77221,2,022,4 = 021,4 (or 022,4 ^ 021,4), 023,2 = 77222,2- In this Section, 
we propose message modification to satisfy each of these sufficient conditions. 

Theorem 1 . Suppose we set following conditions as Extra Conditions. 06,6 = 
7725,6,7726,11 7^ 7725,6,7727,6 = 7725,6,07,4 = 0,08,4 = l,77lio,4 7^ 7725,6- If We modify 
the message as shown below, the sufficient condition 021,4 = 020,4 (or 021,4 7^ 

020.4) is satisfied with probability of almost 1. 

7225 <— 7725 ® 2 5 , 7226 <— 7726 ® 2 10 , TO7 <— 7727 ® 2 5 , TOio <— 772io ® 2 3 
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In order to satisfy extra conditions, we generate messages that satisfy these 
extra conditions in advance by a method similar to that used to satisfy the 
sufficient conditions. 

Proof. We explain the change in each chaining variable Theorem 1 is executed 
in every step. 

Step 6. In this step, differential Sms = ±2 5 is input. Here, Sx is the differential 
created by message modification on chaining variable x. In this step, ae is 
calculated as follows: 

a& = (05 <gC 5 ) + /(&5, C5, ds) + es + ms + ks- 

After this equation is calculated, Sae becomes 5 as = ±2 5 because Sms = 
±2 5 . Since ae,e = ms.g is set as the extra condition, Sae = ±2 5 does not 
trigger differential carry. By this condition, since Sms = ±2 5 does not cause 
carry in ms, and the sign of Sae and Sms, 6 axe the same, which confirms 
that no carry occurs. 

Step 7. In step 7, a 7 is calculated as follows: 

a 7 = (a 6 <m: 5 ) + /(b 6 , ce, <k) + e 6 + m 6 + k 6 . 

To ensure Sa 7 = 0, we cancel Sae = ±2 5 by Sme = ±2 10 . Since me , 11 ^ ms, 6 
was set as the extra condition, the sign of Sae = ±2 5 and the sign of Sme = 
±2 10 become opposite, and they cancel each other. Due to this condition, 
in the case of ms, 6 = 0, m6,n becomes me , 11 = 1. In this situation, ms, 6 
changes from 0 to 1 because of the differential, and m6,n changes from 1 
to 0. Since we have ensured that no carry occurs, Sms and Sme become 
Sms = 2 5 and Sme = — 2 10 , respectively. Since Sms = 2 5 , Sae becomes 
Sae = 2 5 . Therefore, Sa 7 = 0 from Sae = 2 5 5 = 2 10 and Sme = — 2 10 . 

In the case of ms, 6 = 0 and m6,n = 1, a similar analysis finds that Sa 7 is 
assured of being 0. 

Step 8. In step 8, ag is calculated as follows: 

as = (07 <gC 5 ) + f(b 7 , C7, d 7 ) + e 7 + m 7 + k 7 . 

To ensure Sag = 0, we cancel Sb 7 = ±2 5 by Sm 7 = ±2 5 . Since m 7 ,e = ms, 6 
was set as the extra condition, m 7 ,e = 0 when ms, 6 = 0. In this situation, 
m5,6 changes from 0 to 1, and m 7 ,e changes from 0 to 1. Since we have ensured 
that no carry occurs, Sms and Sm 7 become Sms = 2 5 and Sm 7 = 2 5 . Since 
Sms = 2 5 , Sae = 2 5 , that is, Sb 7 = 2 5 , respectively. Since function / is 
f(b 7 ,c 7 ,d 7 ) = (67 A C7) V ( ~>b 7 A d 7 ), and 07,6 = 0, d 7 ,g = 1 are ensured to 
be satisfied by the sufficient conditions; the 2nd bit of f(b 7 ,c 7 ,d 7 ) before 
differential input is 1, and the 2nd bit of f(b 7 , c 7 , d 7 ) after differential input 
is 0. Therefore, Sf(b 7 , c 7 , d 7 ) becomes — 2 5 and is canceled by Sm 7 = 2 5 . As a 
result, Sag becomes Sag = 0. In the case of m 7 ,e = 1 and ms,e = 1, a similar 
analysis confirms that Sag is assured of being 0. 
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Step 9. In step 9, ag is calculated as follows: 

ag = (as 5) + f(b s , c s , d 8 ) + e 8 + m 8 + k 8 . 

Since 07,4 = 0 is set as the extra condition, we can cancel 5c 8 = ±2 3 from the 
property of function /. Since the function / is f(b 8 , c 8 , d 8 ) = (b 8 /\c 8 )\/ (~>b 8 A 
d 8 ), if 6 s , 4 = 0, the 4-th bit of f(b 8 , c 8 , d 8 ) is equal to d 8> 4 , and if b 8t 4 = 1, the 
4-th bit of f(b 8 , c 8 , d 8 ) is equal to c 8 > 4 - Therefore, since Sc 8 = ±2 3 , Sc 8 = ±2 3 
is canceled by setting the extra condition 07,4 = 0, that is, b 8t 4 = 0. As a 
result, Sag becomes 0. 

Step 10. In step 10, aio is calculated as follows: 

aio = (ag 5) + f(bg, Cg, dg) + eg + mg + kg. 

Since ag , 4 = 1 is set as the extra condition, we can cancel Sdg = ±2 3 from 
the property of function /. This basically follows Step 9. 

Step 11. In step 11, an is calculated as follows: 

oil = (®io ^ 5) + f(bio, cio, dio) + eio + mio + &io- 

To ensure Saw = 0, we cancel <5eio = ±2 3 by <$77710 = ±2 3 . Since 77710,4 ^ 
7715,6 is set as the extra condition, 77110,4 becomes mio ,4 = 1 when 7775,6 = 0. 
In this situation, 7775,6 changes from 0 to 1, and 77710,4 changes from 1 to 0. 
Since we have ensured that no carry is triggered by the differential, Sm 5 and 
Smio become <5 7775 = 2 5 and Smio = — 2 3 , respectively. Since <$7775 = 2 5 , Sa 8 
becomes Sag = 2 5 , that is, Se 10 = 2 3 . Therefore, Seio = 2 3 is canceled by 
Smio = — 2 3 , and Saw becomes 0. In the case of 7775,6 = 1 and 77110,4 = 0, a 
similar analysis shows that <$an becomes 0. 

From Step 17. Because of input differentials and message expansion, the fol- 
lowing message differentials appear from step 19: Sm-L 8 :mik2 z ,Sm\g = ±2 5 
and (5 77720 = ±2 10 . Sm\ 8 = ±2 3 is transferred as shown below, and 021,4 = 
020,4 (or 021,4 7 ^ ^ 20 , 4 ) is satisfied by Sa 2 i = ±2 3 . 

(5 77718 — i2 3 — > Saig = ±2 3 — * Sb 20 = i2 3 — * Sa 21 = ±2 3 □ 

Remark. We experimentally confirmed that the probability that this message 
modification can satisfy the target condition without affecting other sufficient 
conditions is almost 100%. The complexity of this message modification is less 
than the operations of 2 steps. 

Theorem 2. Suppose we set following conditions as Extra Conditions: an , 21 = 
77710,21,77111,26 7 ^ 777io,21 , 010,23 = 09,23,«12,19 = 0, Oi 3 ,ig = 1, 77715, 19 7^ 

777 io, 2 i , 777ig , 26 7 ^ 777 i 8 , 2 i- If we modify a message as shown below, the sufficient 
condition 022,2 = 77721,2 is satisfied with probability of almost 1 . 

TOio <— 777io © 2 20 , 77711 <— 777n ® 2 25 ,777i5 <— 77715 © 2 18 

Proof. Since the proof of Theorem 2 is almost the same as the proof of Theorem 
1 and due to lack of space, we omit the explanation of this proof. 
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Remark. We experimentally confirmed that the probability that this message 
modification can satisfy the target condition without affecting the other sufficient 
conditions is 97.5%. The complexity of this message modification is less than the 
operations of 3 steps. 

Theorem 3. Suppose we set the following conditions as Extra Conditions: 
ail, 8 = 77lio,8; will, 13 7^ >7710,8; Ol0, 10 = Cl9, 10)^12, 6 = 0,013,6 — l,Wll5,6 7^ 
toio,8) Wi9,i3 7^ uiig^. If we modify the message as shown below, sufficient con- 
dition 022,4 = 021,4 (or 022,4 7^ 021,4,) is satisfied with probability of almost 1. 

rnio <— toio © 2 7 ,toh <— mu © 2 12 ,mi5 *— mis © 2 5 

Proof. Since the proof of Theorem 3 is almost same as that of Theorem 1 and 
due to lack of space, we omit the explanation of this proof. 

Remark. We experimentally confirmed that the probability that this message 
modification can satisfy the target condition without affecting the other sufficient 
conditions is almost 100%. The complexity of this message modification is less 
than the operations of 3 steps. 

Theorem 4. Suppose we set following conditions as Extra Conditions: an,i6 = 
17710,16; 17111,21 7^ 17710,16; 17712,16 7^ >7710,16) ®12, 14 = 0, 013,14 = 1, 17715, 14 7^ 17710,16; 
17719,21 7 ^ I77i8,i6- If we modify the message as shown below, the sufficient condi- 
tion 023,2 = 7)722,2 is satisfied with probability of almost 1. 

mio <— rnio © 2 15 , mu <— i7in © 2 20 , mi2 <— mi2 © 2 15 , mis <— mis © 2 13 

Proof. Since the proof of Theorem 4 is almost the same as the proof of Theorem 
1 and due to lack of space, we omit the explanation of this proof. 

Remark. We experimentally confirmed that the probability that this message 
modification can satisfy the target condition without affecting the other sufficient 
conditions is 97%. The complexity of this message modification is less than the 
operations of 4 steps. 


4.4 Application to SHA-1 

Since a collision attack on SHA-1 [15] is similar to an attack on SHA-0, sub- 
marine modification would be applicable to SHA-1. This section considers the 
application of submarine modification to SHA-1. 

Collision search of SHA-1 is done by using message modification as well as 
collision search of SHA-0. In SHA-1, only message modification for sufficient 
conditions up to step 22 has been proposed. Therefore, we discuss the possibility 
of applying submarine modification to realizing the sufficient conditions after 
step 22 of SHA-1. For example, we discuss message modification to satisfy 0 . 23,2 = 
77722,2- 
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Example. Suppose we set following conditions as Extra Conditions: an, 15 = 
»7lO,15> >7711,20 7^ Wio,15)ttlO,17 7^ >^9,17)012,13 = 0,013,13 = 1,77115,13 ^ 77710,15) 
77719,21 7^ 77718,16 If we modify the message as shown below, the sufficient condition 
023,2 = 77722,2 is satisfied with probability of almost 1. 

TOlO <— 77710 © 2 14 , 77711 <— 777n ® 2 19 , 77715 777 1 5 © 2 12 

However, this message modification can impact other sufficient conditions. An 
analysis of this is a future work. 

If we execute this procedure, the following message differentials appear from 
step 19 due to message expansion: <5mis = ±2 13 ± 2 15 ,<5r?7i9 = ±2 20 ,<5r?72o = 
±2 15 ,6ni2i = ±2 14 ± 2 16 , 5m22'^it2 21 Since 77119,21 ^ 777is,i6 is set as the extra 
condition, we can minimize the probability of breaking the other sufficient condi- 
tions. We omit this explanation since it basically follows that of Theorem 2. 

(5 77718 = ±2 13 is transferred as shown below, and 0.23,2 = 77122,2 is satisfied by 

<5a 23 = ±2. 


(577718 = ±2 13 v* (5ai9 = =t2 13 -> (5(720 = ±2 18 -» (5a 2 i = ±2 23 r* <5a 22 = =t2 28 -> <5a 23 = ±2 

Remark. Wang et al. announced an improved version of their original attack 
on SHA-1 [15] at NIST HASH WORKSHOP 2005 and CT-RSA’06 [12,13]. 

5 Lack of Sufficient Conditions 

When we use the sufficient conditions given by Wang et al. [14], a collision 
attack does not necessarily succeed even if all sufficient conditions are satisfied. 
This problem occurs because their approach lacks two conditions. Our analysis, 
detailed below, showed that the missing conditions are 60,9 = 0 and 60,11 = 1. 
a 3 is calculated as follows: 

a 3 = (a 2 5) + f(b 2 , c 2 , d 2 ) +e 2 + m 2 + k 2 . 

We transform the above equation for /. 

f(b 2 , c 2 , d 2 ) = a 3 - ( (72 <^:5) — e 2 — m 2 — k 2 

Since Aa 3 = 2 - 2 9 - 2 11 + 2 16 , Aa 2 = -2 4 - 2 6 + 2 11 , Ae 2 = 0 and Am 2 = 
2 + 2 6 ± 2 31 , Af(b 2 , c 2 , d 2 ) is calculated as follows: 

Af(b 2 , c 2 , d 2 ) = Aa 3 — ( Aa 2 <§; 5) — Ae2 — A7772 

= (2-2 9 -2 11 + 2 16 )-((-2 4 -2 6 +2 11 ) 5) -0- (2 + 2 6 +2 ± 31) 

= — 2 6 ± 2 31 . 

Since Ab 2 = — 2+2 6 +2 11 , 62,2 is fixed to change from 1 to 0 due to the differential 
-2, 62,7 is fixed to change from 1 to 0, 62,8 is fixed to change from 1 to 0, 62,9 
is fixed to change from 0 to 1 due to the use of differential 2 6 . The sign of the 
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change by differential ±2 31 does not have to be considered since it is MSB. Here, 
we focus on the 7th and 9th bits. 

First, we discuss the 7th bit. Wang et al. takes advantage of the fact that 6 2 ,7 
changes from 1 to 0 in order to make differential — 2 6 on /(fe 2 , c 2 , d 2 ). From the 
property of /(6 2 , c 2 , d 2 ) = (6 2 A c 2 ) V (->6 2 A d 2 ), if we set c 2) 7 = 1 and d 2 ,7 = 0, 
that is, ao,9 = 1 and 60,9 = 0 as sufficient conditions, we can make differential 
— 2 6 . However, 60,9 = 0 was not one of the sufficient conditions described by 
Wang et al. 

We turn now to the 9th bit. 62,9 changes from 0 to 1. Wang et al. cancel this 
influence in function /. From the property of /(6 2 , c 2 , d 2 ) = (6 2 Ac 2 ) V (-i6 2 Ad 2 ), 
if we set c 2 ,9 = d 2j g, that is, cto.ri = bo.u , we can cancel the influence of the 
change of 6 2 , 9. Since ao,n = 1 is one of the sufficient conditions given by Wang 
et al, we need to set 60,11 = 1 as a sufficient condition. This sufficient condition 
was not specified by Wang et al. 

From the above, we need to use 60,9 = 0 and 60,11 = 1 as sufficient conditions 
in addition to those given by Wang et al. 

6 Complexity of Collision Search 

Without the additional sufficient conditions the generation of a message that 
yields a collision will fail with probability |. 

Combining the two additional sufficient conditions with those of Wang et al. 
and using submarine modification reduces the complexity of collision search to 
2 36 SHA-0 operations. This calculation is given below. 

1st block and Step 1-13 of 2nd block. The complexity of generating mes- 
sages for these steps is insignificant. Refer to the paper written by Wang et 
al. [14]. 

Step 14-20 of 2nd block. The complexity of generating messages that satisfy 
all sufficient conditions in steps 14-20, including message modification, is less 
than 8 steps. 

Step 21 of 2nd block. The complexity of generating messages that satisfy all 
sufficient conditions up to step 21 including submarine modification is less 
than, 

8 + 1 + ^- 2 = 10 . 

Step 22 of 2nd block. The complexity of generating messages that satisfy all 
sufficient conditions up to step 22 including submarine modification is cal- 
culated as follows: Let the complexity where conditions up to step 22 are 
satisfied and the number of times rn. 14, mg 5 is chosen is less than i times 
X22,i- In this situation, the following equation below is valid. Here £22,0 = 0. 

X22 ,i = ^ ‘ 0-025^ • (lO + 1+ — - 3+ — -3^ + a; 22 ,i_i 

The complexity is about 15 steps since lim x 22 ,j w 15. 
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Table 2. An example of generated collision pair 


Miblock 


hiuock 

M 2b lock 


f459644c b87cdael ed98d4a6 7f5c304b a8606648 073dda8d 9f044c3a 2386c95f 
8b611aa4 d66ed3b9 c4854f6e d57662b3 d687ebe0 f61cefe5 6d0252c2 01f298bc 
41f3e784 96831ef3 563e0aa9 d7def7ba 232e8581 

76c21fb3 8a725c5a 13a6039c a23cl950 53e65762 b70bbb88 705ec5b6 079e5dd5 
f58793f6 d67d305e 352eelb8 87c36500 fd012cb5 a51c4269 6a72aabd 7a2449cc 
f6c21ffl 8a725c5a 93a603de a23cl910 53e65722 b70bbbca f05ec5b4 879e5dd7 
f58793b6 567d305e b52eelf8 07c36502 fd012cb7 251c4229 ea72aabd fa24498c 
cad681al 354105dc ac31607b 6ccaba44 c76d!948 


Step 23 of 2nd block. The complexity of generating messages that satisfy all 
sufficient conditions up to step 23 including submarine modification is cal- 
culated as follows: Let the complexity where conditions up to step 23 are 
satisfied and the number of times TO 14 , m -15 is chosen is less than i times 
£ 23 ,*■ In this situation, the following equation below is valid. Here £ 23,0 = 0. 

®23,i = ^2 ‘ 0-03^ • ^15 + 1 + - • 4^ + £23,j— 1 

The complexity is about 18 steps since lim £23 y ==f 18. 

Step i(i = 24— 80) of 2nd block. Let the complexity of generating messages 
that satisfy all sufficient conditions up to the i — 1 step be 1 . If there are 
rq sufficient conditions in the i-th step, the probability that all of them are 
satisfied is 2~ ni . Therefore, y, , the complexity of generating messages that 
satisfy all sufficient conditions up to the <-tli step, is y, = (y,_i + 1) • 2 ni . 
From this equation, y 80 = 6180766429108. This is equivalent to 2 36 SHA-0 
operations. From the above consideration, the total complexity of collision 
search is 2 36 SHA-0 operations. 

Remark. There is a possibility the collision attack could be further improved 
by using another differential path. We discuss this topic in Appendix A. 

7 Conclusion 

In this paper, we proposed submarine modification, message modification that can 
satisfy the sufficient conditions in steps 21-24. Moreover, we showed that subma- 
rine modification is applicable to SHA-1. We also showed that the sufficient con- 
ditions given by Wang et al. are incomplete since they are missing 60,9 = 0 and 
60 , j 1 = 1. Therefore, even if a message that satisfies all sufficient conditions given 
by Wang et al. is discovered, a collision generation may fail with probability |. By 
utilizing the two additional sufficient conditions and submarine modification, the 
complexity of collision search is reduced to 2 36 SHA-0 operations. 

Table 2 shows a collision found by using the technique proposed herein. 
Mi block is a message of the 1st block, h\biock is the output of the compres- 
sion function of the 1st block. M 2 biock is a message for the 2nd block, M 2hlock is 
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a message of 2nd block after the differential is input, h2biock is the output of the 

compression function of 2nd block. 
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A A Study of Other Disturbance Vectors 

Wang et al. chose a disturbance vector under the condition that the sufficient 
conditions up to step 20 can be satisfied by message modification. Therefore, 
they chose a disturbance vector to minimize the number of sufficient conditions 
after step 20. However, submarine modification can satisfy sufficient conditions 
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up to step 24 can be satisfied by message modification. Therefore, we expect 
that if we choose a disturbance vector to minimize the number of sufficient 
conditions after step 24, we can generate a collision with complexity under 2 36 
SHA-0 operations. If we use the disturbance vector chosen by Wang et al, the 
number of conditions after step 24 is 38. However, by using the disturbance 
vector shown in Table 3, the number of conditions after step 24 is 37. Therefore, 
we expect that the disturbance vector shown in Table 3 enables us to generate 
a collision with complexity under 2 36 SHA-0 operations. Additional analysis on 
this matter is a future task. 

Table 3. A Disturbance Vector for Reduced Complexity 


i 

value 

—5, ..., —1 

0 1110 

0, ..., 19 

00000111001101111101 

20,..., 39 

01101110001000101010 

40,..., 59 

00000000100100001000 

60,..., 79 

00100001001011000000 


B Complement of Collision Search by Wang et al. 

B.l 2nd Bit and 7th Bit of Messages 

The complexity claims of Wang et al. claim address only the sufficient conditions 
of chaining variables. They don’t consider the complexity of satisfying the suf- 
ficient conditions of messages. However, when a random message is generated, 
it must satisfy the sufficient conditions of messages, and this takes a few steps. 
This raises the complexity of collision search. This increase can be suppressed 
by fixing the 2nd bit and 7th bit of the messages in advance in order to ensure 
satisfaction of the sufficient conditions. 

B.2 Sufficient Conditions Given by Wang et al. 

The sufficient conditions of Wang et al. include those for ai3,4, ai4,4, am, 4, am, 4, 
ai 7_2- These values depend on the method used to fix the 2nd and 7th bits of the 
messages (Discussed in Appendix B.l). That is, if a fixing method different from 
that of Wang et al. is chosen, the sufficient conditions for 043,4, a-14.4, <215,4. am, 4, 
017,2 are also changed. 
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Abstract. In this paper, we analyze the security of HMAC and NMAC, 
both of which are hash-based, message authentication codes. We present 
distinguishing, forgery, and partial key recovery attacks on HMAC and 
NMAC using collisions of MD4, MD5, SHA-0, and reduced SHA-1. Our 
results demonstrate that the strength of a cryptographic scheme can be 
greatly weakened by the insecurity of the underlying hash function. 


1 Introduction 

Many cryptographic schemes use hash functions as a primitive. Various assump- 
tions are made on the underlying hash function in order to prove the security 
of the scheme. For example, some proofs assume that the hash function behaves 
as a random oracle, while other proofs only assume collision resistance. With 
the continuing development in hash function research, especially several popular 
ones are no longer secure against collision attacks, a natural question is whether 
these attacks would have any impact on the security of existing hash-based, cryp- 
tographic schemes. 

In this paper, we focus our study on HMAC and NMAC, which are hash-based 
message authentication codes proposed by Bellare, Canetti and Krawczyk [2]. 
HMAC has been implemented in widely used security protocols including SSL, 
TLS, SSH, and IPsec. NMAC, although less known in the practical world, is the 
theoretical foundation of HMAC — existing security proofs [2,1] were first given 
for NMAC and then extended to HMAC. It is commonly believed that the two 
schemes have identical security. 

The constructions of HMAC and NMAC are based on a keyed hash function 
Fk(m) = in which the IV of F is replaced with a secret key k. NMAC 

has the following nested structure: NMAC( felife2 )(TO) = Fk 1 (Fk 2 (m)), where k = 
{k\ , k- 2 ) is a pair of secret keys. HMAC is similar to NMAC, except that the key 
pair (hi, kf) is derived from a single secret key using the hash function. Hence, 
we can view HMAC as NMAC plus a key derivation function. 

The security of HMAC and NMAC was carefully analyzed by its design- 
ers [2]. They showed that NMAC is a pseudorandom function family (PRF) 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 37-53, 2006. 

© International Association for Cryptologic Research 2006 
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under the two assumptions that (Al) the keyed compression function fk of 
the hash function is a PRF, and (A2) the keyed hash function Fk is weakly 
collision resistant 1 . The proof for NMAC was then lifted to HMAC by fur- 
ther assuming that (A3) the key derivation function in HMAC is a PRF. The 
provable security of HMAC, besides its efficiency and elegancy, was an im- 
portant factor for its wide deployment. However, recent collision attacks on 
hash functions [21,24] imply that assumption (A2) in the original proof no 
longer holds when considering concrete constructions such as HMAC-MD5 and 
HMAC-SHA1. To fix this problem, Bellare recently showed [1] that NMAC is 
a PRF under the sole assumption that the keyed compression function fk is 
a PRF. This implies that the security of HMAC now depends only on as- 
sumptions (Al) and (A3). The main advantage of the new analysis is that 
the proof assumptions do not seem to be refuted by existing attacks on hash 
functions. 

The new security proofs are quite satisfying, especially since they are based on 
relatively weak assumptions of the underlying hash function. On the other hand, 
they have also raised interesting questions as whether the proof assumptions 
indeed hold for popular hash functions. In particular, does any existing collision 
attack on a hash function compromise the PRF assumption? And if so, does it 
lead to possible attacks on HMAC and NMAC? 

1.1 Summary of Main Results 

In this paper, we analyze the security of HMAC and NMAC. We answer the 
aforementioned questions in the affirmative by constructing various attacks on 
HMAC and NMAC based upon weaknesses of the underlying hash function. 

Our analysis is based upon existing analyses of hash functions, especially the 
attacks on MD4, MD5, SHA-0, and reduced SHA-1 presented in [25,9,10,7]. We 
first show that the collision differential path in these earlier attacks can be used 
to construct distinguishing attacks on the keyed compression function fk- Hence, 
for MD4, MD5 2 , SHA-0, and reduced SHA-1, f k is not a PRF. 

Building upon the above attacks, we show how to construct distinguishing, 
forgery, and partial key recovery attacks on HMAC and NMAC when the under- 
lying hash functions are MD4, MD5, SHA-0, and reduced SHA-1. The complexity 
of our attacks is closely related to the total probability of the collision differential 
path, and in some cases it is less than the 2”/ 2 generic bound for birthday-type 
attacks. A summary of our main results is given in Table 1. We remark that in 
our key recovery attack the adversary can retrieve the entire inner key fo. This 
can greatly weaken the security of the scheme. In particular, when the keyed 
inner function is degraded to a hash function with a known IV, further attacks 
such as single-block forgeries become possible. 


1 Please refer to Section 3 for precise definitions of fk and Fk. The notion of weakly 
collision resistant (WCR) was introduced in [2]. Roughly, F k is WCR if it is compu- 
tationally infeasible to find m=f= m! s.t. Fk(m) = Fk(m!) for hidden k. 

2 In the case of MD5, f k is not a PRF under related-key attacks. 



Forgery and Partial Key-Recovery Attacks on HMAC and NMAC 


39 


Table 1. Result summary: number of queries in our attacks on HMAC/NMAC 



function 

distinguish & 
forgery attacks 

key recovery 
attacks 

comments 

HMAC/NMAC 

MD4 

2 08 

2 <k> 


NMAC 

MD5 

2 47 

T , 

related-key attacks 

HMAC/NMAC 

SHA-0 


2 »4 


HMAC/NMAC 

reduced 

SHA-1 

2 s * 

2 31 

inner function 
is 34 rounds 


1.2 Use of Hash Collisions in Our Attacks 

Our attacks on HMAC and NMAC are based on collisions of the keyed inner 
function Fk 2 . The main reason that an adversary can observe such collisions is 
that in our scenario the outer function Fj- X , although hiding the output of the 
inner function, does not hide the occurrence of an inner collision. 

In our key recovery attacks, each bit of collision information - whether or not 
a collision occurs from a set of properly chosen messages - roughly reveals one bit 
of the inner key. This is due to the fact that a collision holds information about 
the entire hash computation, and hence the secret key. Our techniques illustrate 
that collisions within a hash function can potentially be very dangerous to the 
security of the upper-layer cryptographic scheme. 

1.3 Other Results 

General framework for analyzing HMAC and NMAC . We extend the approach 
in our attacks to provide a general framework for analyzing HMAC and NMAC. 
This framework also points to possible directions for hash function attacks that 
most likely lead to further improved attacks on HMAC and NMAC. 

Attacks on key derivation in HMAC-MD5 . We study the key derivation func- 
tion in HMAC-MD5, which is essentially the MD5 compression function keyed 
through the message input. We describe distinguishing and second preimage 
attacks on the function with complexity much less than the theoretical bound. 
New modification technique. We develop a new message modification tech- 
nique in our key recovery analysis. In contrast with Wang’s techniques [21,22], 
our method does not require full knowledge of the internal hash computation 
process. We believe that our new technique may have other applications. 

1.4 Implications 

In practice, HMAC is mostly implemented with MD5 or SHA-1. To a much lesser 
extent, there is some deployment of HMAC-MD4 (for example, see [12]). We are 
not aware of any deployment of NMAC. The attacks presented in this paper do 
not imply any immediate practical threat to implementations of HMAC-MD5 or 
HMAC-SHA1. However, our attacks on HMAC-MD4 may not be out of range 
of some adversaries, and therefore it should no longer be used in practice. 
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We emphasize that our results on HMAC complement, rather than contradict, 
the analysis in [2,1]. While the designers proved that HMAC is secure under 
certain assumptions on the underlying hash function, we show that attacks are 
possible when these assumptions do not hold. 

1.5 Organization of the Paper 

In Section 3, we provide brief descriptions of HMAC, NMAC and the MDx family. 
In Section 5, we present all three types of attacks on NMAC-MD5, which is 
based on the MD5 pseudo-collision (Section 4). The simplicity of the underlying 
differential path in this case facilitates our explanation, especially the technical 
details of our key recovery attack. For attacks on HMAC and NMAC using other 
underlying hash functions, the methods are similar and thus we just focus on 
what is different in each case in Section 6. In Section 7, we describe a general 
framework for analyzing HMAC and NMAC. 

2 Related Work 

Our analysis on HMAC and NMAC is closely related to various attacks on hash 
functions, especially those in the MDx family. In addition, our work is also re- 
lated to the rich literature on message authentication codes. Many early heuristic 
designs for MACs were broken, sometimes in ways that allowed forgery and key 
recovery [17,18,19]. These early analyses were the driving force behind proposals 
with formal security proofs, namely HMAC and NMAC [2]. Since their publi- 
cation, most of the security analysis was provided by the designers. Recently, 
Coron et al. [11] studied the security of HMAC and NMAC in the setting of 
constructing iterative hash functions. After our submission to Asiacrypt’06, we 
learned that Kim et al. [15] did independent work on distinguishing and forgery 
attacks on HMAC and NMAC when the underlying functions are MD4, SHA-0, 
and reduced SHA-1. They did not consider key recovery attacks. 

Some of our attacks are in the related-key setting. Related-key attacks were 
introduced by Biham [5] and Knudsen [14] to analyze block ciphers. A theoret- 
ical treatment of related-key attacks was given by Bellare and Kohno [4]. The 
relevance of related-key cryptanalysis is debated in the cryptographic commu- 
nity. For example, some suggest that the attacks are only practical in poorly 
implemented protocols. On the other hand, cryptographic primitives that resist 
such attacks are certainly more robust, and vulnerabilities can sometimes indi- 
cate weaknesses in the design. See the introduction to [13] for example settings in 
which related-key attacks can be applied. We note that the designers of HMAC 
and NMAC did not consider the related key setting in their security analysis. 

3 Preliminaries 

3.1 Hash Functions and the MDx Family 

A cryptographic hash function is a mathematical transformation that takes an 
input message of arbitrary length and produces an output of fixed length, called 
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the hash value. Formal treatment of cryptographic hash functions and their prop- 
erties can be found in [20]. In practice, hash functions are constructed by iterat- 
ing a compression function f{cv, x) which takes fixed length inputs: a chaining 
variable cv of n bits and a message block x of b bits. The hash function F is 
defined as follows: First divide the input message to into xi,X 2 , ■■■,x s according 
to some preprocessing specification, where each x t is of length b. Then set the 
first chaining variable cv o as the fixed IV, and compute cvi = f(cvi- \,Xi) for 
i = 1,2, ..., s. The final output cv s of the iteration is the value of F. 

The MDx family of hash functions includes MD4, MD5, SHA-0, SHA-1, and 
others with similar structure. Here we briefly describe the structure of MD5 and 
omit others. The compression function of MD5 takes a 128-bit chaining variable 
and a 512-bit message block. The chaining variable is split into four registers 
(A, B, C, D), and the message block is split into 16 message words too, . . . , TO15. 
The compression function consists of 4 rounds of 16 steps each, for a total of 64 
steps. In each step, the registers are updated according to one of the message 
words. The initial registers (A 0 , B 0 ,Co, D 0 ) are set to be some fixed IV. Each 
step t (0 < t < 64) has the following general form 3 : 

X t <- {A t + <j>(B t ,C t ,D t ) + w t + K t )^ St 
(A t+ 1 ,B t+ 1 ,C t+ 1 ,D t+1 ) (D t ,X t + B t ,B t ,C t ) 

In the above equation, <f> is a round-dependent Boolean function, K t is a step- 
dependent constant, and s t is a step-dependent rotation amount. In each round, 
all 16 message words are applied in a different order, and so w t is one of the 
16 message words. After the 64 steps, the final output is computed as (Aq 4 + 
Ao , Bq 4 + Bo, C $4 + Co, D 04 + Do). 

3.2 Message Authentication Codes, HMAC and NMAC 

A message authentication code is a mathematical transformation that takes as 
inputs a message and a secret key and produces an output called authentication 
tag. The most common attack on MACs is a forgery attack, in which the adver- 
sary can produce a valid message/tag pair without knowing the secret key. For 
MACs that are based on iterative hash functions, there is a birthday- type forgery 
attack [17,3] that requires about 2 ”7 2 MAC queries, where n is the length of the 
authentication tag. 

HMAC and NMAC are both hash-based MACs. Let F be the underlying 
hash function and / be the compression function. The basic design approach 
for NMAC is to replace the fixed IV in F with a secret key (aka keyed via the 
IV). Following the notation in [2], we use fk{x) = f{k,x) to denote the keyed 
compression function and F k (x) = F(k, x) the keyed hash function. Let (k \ , 
be a pair of independent keys. The NMAC function, on input message to and 
secret key (£q, £ 2 ), is defined as: 

NMAC (fel!fc2 )(TO) = F kl (F k2 (m)). 

3 We use a slightly different notation from previous work so that there is a unified 

description for all the steps. 
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The construction of HMAC was motivated by practical implementation needs. 
Since NMAC changes the fixed IV in F into a secret key, this requires a modifi- 
cation of existing implementations of the hash function. To avoid this problem, 
the designers introduced the fixed-IV variant HMAC. Let consti and const 2 
be two fixed constants. The HMAC function, on input message m and a single 
secret key k, is defined as: 


k\ = f(IV, k © consti) (1) 

k 2 = f(IV, k © const 2 ) (2) 

HMAC fe (ro) = NMAC (fclifca) (m). 

In the above description for HMAC, we can consider Equations (1) and (2) 
together as a key derivation function KDF which takes a single secret key k and 
outputs a pair of keys (Aq,/^)- That is, (Aq , Aq) = KDF (A). Hence, HMAC is 
essentially “KDF + NMAC”. We remark that the term “key derivation function” 
was not used in [2], but this view of the HMAC construction will be quite 
convenient for our later analysis. 

4 Pseudo-collisions of MD5 

In [9] , den Boer and Bosselaers analyzed the compression function of MD5 and 
found pseudo-collisions of the form f(cv,m) = f(cv',m), where cv and cv' are 
two different IVs. Such pseudo-collisions of MD5 are the basis for our related- 
key attacks on NMAC-MD5. In this section, we discuss some properties of the 
pseudo-collisions under the framework of differential cryptanalysis. 

Differential cryptanalysis was introduced by Biham and Shamir [8] to analyze 
the security of DES. The idea also applies to the analysis of hash functions. In 
a hash collision attack, we consider input pairs with an appropriately defined 
difference and analyze how the differences in the chaining variables evolve dur- 
ing the hash computation. The intermediate differences collectively are called 
a differential path, and its probability is defined to be the probability that the 
path holds when averaged over all input pairs satisfying the given difference. 

For the MD5 pseudo-collisions in [9], the messages are the same and the input 
difference is only in the chaining variables. The pair of initial chaining variables 
(cv, cv') as well as all the intermediate values satisfy the following difference: 

cv © cv' = ( 80000000 80000000 80000000 80000000 ) d = A msb . (3) 

Putting in concrete terms, the differences are only in the most significant bit 
(MSB) of each register A t ,B t ,C t ,D t . This simple pattern propagates through 
all 64 steps of MD5. Because of the extra addition operation at the end, the 
difference disappears, yielding a pseudo-collision. 

The differential path requires the following conditions on the IV: 


MSB(Hq) = MSB (Cq) = MSB(T> 0 ) = b, 


(4) 
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where b = 0 or 1. Moreover, the MSBs of the intermediate registers are the same 
for most of the first round. Namely, for 1 < t < 15, 

MSB(A t ) = MSB(R t ) = MSB(C t ) = MSB (D t ) = b. 

The total probability of the differential is 2~ 46 . 

5 Related-Key Attacks on NMAC-MD5 

In this section, we present distinguishing, forgery, and partial key recovery at- 
tacks on NMAC-MD5 in the related-key setting. In this setting, the goal of the 
adversary is to break the MAC by obtaining input/output pairs of two MAC 
oracles whose keys are different but with a known relation. 

As described in Section 4, the differential path for the MD5 pseudo-collision 
holds with probability 2~ 46 . Given the path, we can construct a related-key dis- 
tinguishing attack on the keyed MD5 compression function that requires about 
2 47 queries. This distinguishing attack is the basis for all three types of attacks on 
NMAC-MD5. Since the distinguishing attacks on the MD5 compression function 
and on NMAC-MD5 are nearly identical, we omit the details of the former. 

Recall that in NMAC, the inner function Fk 2 is keyed through the IV. Hence, 
in our related-key attacks, the difference in the inner key is set according to 
the input IV difference given by Equation (3). More specifically, we have the 
following setting for our related-key attacks on NMAC-MD5: 

— There are two oracles NMAC^^) and NMAC^'^). The relation between 
(fci,^) and (k[,k' 2 ) is se t as : 

k\ = k[ and ® k' 2 = Z\ msb . (5) 

- The adversary queries each oracle on input messages of its choice and is 
given the corresponding authentication tag. 

5.1 Related-Key Distinguishing and Forgery Attacks on 
NMAC-MD5 

We first present a related-key distinguishing attack on NMAC-MD5, based upon 
the lack of pseudorandomness of the keyed MD5 compression function. In this 
attack, the adversary is given two oracles (0,0'), which can either be the two 
NMAC oracles as defined by Equation (5) or oracles for truly random functions. 
The adversary generates 2 46 random messages and queries both oracles. If a 
collision 0(m) = 0'(m) is observed for any message m, it identifies the oracles 
as NMAC; otherwise, it identifies them as a truly random function. 

The correctness of the attack is easy to see: After 2 46 messages, a collision of 
the inner function is expected. That is, F/- 2 ( m ) = F^ (m). Since the outer key k\ 
is the same, the inner collision yields a collision for the two NMAC oracles. The 
complexity is 2 46 random queries to each oracle, for a total of 2 47 queries. The 
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attack succeeds if k 2 satisfies the condition given by Equation (4). Hence, for 
two random NMAC key pairs which satisfy the relation given by Equation (5), 
the success probability of our distinguishing attack is 1/4. 

It is worth noticing that the outer function in NMAC, although making the 
output of the inner function hidden, does not hide the occurrence of an inner 
collision. This property is very useful for converting the distinguishing attack 
on the inner function (which is the keyed MD5 compression) to a distinguishing 
attack on NMAC. Such a conversion also applies to HMAC. 

The attack can be extended to a forgery attack as follows [17,3]: Once a 
message m is found that causes a collision of the two NMAC oracles, the ad- 
versary queries the first oracle on m||e for any extension e and obtains tag = 
NMAC(fc 1 ) fc a )(m||e). Then, it produces (m||e,ta< 7 ) as a forgery for the second ora- 
cle. Since NMAC(fc li fe 2 )(m||e) = NMAC(fc^^)(m||e), the forged authentication tag is 
valid. The complexity is 2 47 random queries plus one chosen query. Hence, the 
total number of queries is about 2 47 and the success probability is 1 /4. 

5.2 Related-Key Key Recovery Attack on NMAC-MD5 

We present a partial key recovery attack on NMAC-MD5, in which the adversary 
can retrieve the entire inner key in NMAC. This is the most technical part of 
the paper, so we start with a high level description of the key recovery algorithm 
consisting of four phases: 

— Phase 1. The attacker generates random messages until it obtains a message 
m that causes a collision of the two NMAC oracles. 

— Phase 2. The attacker modifies certain bits of to to create new messages 
to* and observes whether any to* causes a new collision. This collision infor- 
mation allows the attacker to recover many bits in the intermediate registers 
S = (A 14 , E 14 , Ci 4 , D u ) in the computation of Fk a (m). 

— Phase 3. Similar to Phase 2, the attacker recovers a few additional bits from 
other registers, and uses this information to determine more bits of S with 
a possible small additive error. 

— Phase 4. The attacker guesses all remaining unknown bits of S and steps 
through the MD5 computation backwards to get (Ao, Bo, Co, Do) - a candi- 
date for /c 2 * It verifies whether Fk 2 (m) = F k ^ (rn). If so, it outputs fc -2 as the 
inner key; Otherwise, go back to Phase 1. 

Phase 1 and Phase 4 of the key recovery algorithm are fairly straightforward, 
and so for the rest of the section we focus on Phase 2 and Phase 3. We first 
explain the main idea and then present detailed analysis. 


Main idea. For Phase 2 and Phase 3, the objective is to recover bits of some 
intermediate registers through collision information. To achieve this goal, we take 
a closer look at the collision differential paths and analyze what information can 
be derived from such paths. Let DP m denote the differential path induced by to, 
i.e., all the intermediate differences in the computation of F k2 (rn) and F k > 2 (to). 
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Since to yields a collision, we know that DP m follows the differential path for 
the MD5 pseudo-collision. In particular, for the computation of Fk 2 (rri), we have 
MSB(B t ) = 6 for 1 < t < 15. WLOG, we assume 6 = 0. 

For a given step t in the first round, we introduce a new message to* that is 
defined based on message to as follows: 

{ rrij if 0 < j < t 

rrij + A if j = t (6) 

random if t < j < 16 

We next consider the differential path DP m * , induced by to*. Since to and to* 
are the same up to Step t— 1, the two paths DP m and DP m » are the same until this 
step. For Step t, let B% +1 be the newly computed register by replacing m t with 
nif = m t + A. We know that B% +1 will be different from B t+l . A key observation 
is that if MSB(Bj +1 ) changes from 0 to 1, then the path DP m * will drift away from 
the collision differential path, and hence the chance of it producing a collision 
after 64 steps is negligible. More precisely, we have the following lemma. 

Lemma 1. Let to* be a message defined as in Equation (6), and let p* be the 
probability that to* causes a collision Fk 2 (m*) = Ffc/(m*). If KSB(B^ +1 ) = 0, 
then p* = 2 t_45 when averaged over all random m*j (j > t). 7/MSB(i?j +1 ) = 1, 
then p* sa 2“ 128 . 

For a given value A, Lemma 1 can be used to detect the MSB of _B t * +1 as follows: 
generate about 2 45_t messages satisfying Equation (6) and query both NMAC 
oracles on these messages. If a collision is observed, then the MSB of B% +1 is 0; 
otherwise, the bit is 1. 

In what follows, we show how to use the above collision information to recover 
B t+ 1 . To better illustrate the intuition, we consider a simplified step function 
where the rotate is eliminated. Hence Step t becomes B t+ l = mt + T and B% +1 = 
TOj + T, where the value T has been determined before Step t. To detect bit i 
of -Bt+i, we set rrf = m t + 2*. This implies that 

B* t+1 = B t+1 + 2\ (7) 

We consider the effect of the above increment, depending on whether bit i of 
B t+ i is 0 or 1: 

— If bit i of B t . |_i is 0, then the increment will not cause a carry. In this case, 
MSB(Bj +1 ) = MSB(B t+ i) = 0, and we will observe a collision in the expected 
number of queries. 

— If bit i of B t+ 1 is 1, then the increment causes a carry. Furthermore, if we 
can set bits [(i + 1)..30] of B% +1 to be all 1, then the carry will go all the way 
to the MSB of _B t * +1 . In this case, MSB(B t * +1 ) = MSB(B t+ i) + 1 = 1, and we 
will not observe a collision. 

To ensure carry propagates to the MSB, we set = m t + 2* + d, for an 
appropriate choice of d. So Equation (7) becomes Bf +1 — B t+ 1 +2 1 + d. 
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The above analysis yields an algorithm for determining B t+ i one bit at a time, 
from bit 30 to bit 0. (Note that we already know bit 31 of B t+ \ is 0 by assump- 
tion.) We refer to this algorithm as the bit flipping algorithm, and the complete 
description is given in Appendix A. 

Detailed analysis. The main idea described above generally applies to any 
register B t for 0 < t < 15. In Phase 2, the registers to be recovered are 

(Bn,Bi 2 ,B 13 ,B u ) = {A U ,D U ,C U ,B U ). 

The reason why we choose later registers rather than earlier ones is to minimize 
the number of oracle queries, which is 2 45_t per oracle per bit computed of 
register B t+ \. We leave Bi 5 ,Bi e free so that there is enough randomness for 
generating new collisions. 

We now consider how to apply the bit flipping algorithm in the presence of 
rotation. We need to do _B t * +1 = B t+ 1 + 2* + d for i = 30, 29, . . . , 0. However, 
we are not able to do so by just setting m * = rn t + 2 l + d because of the 
rotation operation <§C.s t . Instead, we use a modified bit flipping algorithm (see 
Appendix A for details) . In this algorithm, we set m% = m t + 2* + d! where 

i! +s t = i mod 32 and d! <^s t = d. 

Note that if addition and rotation could commute, then setting rrfl as above 
would have the same effect as B ^ +1 = Bt + \ + 2 1 + d. Since this is not the case, 
some error might occur when applying the modified algorithm. Fortunately, the 
error is manageable — we can show that the modified algorithm almost always 
succeeds for recovering the most significant (32 — s t ) bits of B t+ l . In other words, 
if it fails, it is almost always on the least significant s t bits. More precisely, we 
have the following lemma. The proof is omitted due to space limit. 

Lemma 2. For step t, let p t be the probability that the modified bit flipping 
algorithm correctly recovers the most significant (32 — s t ) bits of B t+ 1 , when 
averaged over all possible input messages to. Then p t > 1 — 2 _s * — 2 -s * -1 . 

For the four steps t = 10, 11, 12, 13, the rotation amounts are s t = 17, 22, 7, 12. 
Hence, we can use the modified bit flipping algorithm to determine the following 
bits of the registers: 

A14 = Bn : most significant 15 bits 
D u = B V2 : most significant 10 bits 
C u = -B13 : most significant 25 bits 
B u = B 14 : most significant 20 bits 

In total we already recover 70 bits of the registers. We could proceed to Phase 4 
and guess the remaining 58 bits. This would yield a key recovery algorithm with 
query complexity 2 47 and time complexity equal to about 2 58 MD5 operations, 
which is much less than exhaustive key search. 
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With refined analysis, we can further reduce the workload by doing an in- 
significant number of additional queries in Phase 3. We do so by following similar 
steps as in Phase 2, except recovering bits of earlier registers, namely the most 
significant (32 — .s t ) bits of Bio, By, Bg. Once these bits are known, the inter- 
action between successive steps can be used to determine 10 more bits of the 
registers {A u , D u , C14, B14) up to a possible small additive error. Due to space 
limits, specific details are omitted. Together with an early stopping technique in 
Phase 4, the remaining workload is at most 2 45 MD5 operations. This can be 
reduced further, but 2 45 is already do-able with moderate computing resources. 
The total number of queries is still dominated by that of Phase 1, which is 2 47 . 

Implementation results. We have implemented the key recovery attack on 
NMAC-MD5. In our implementation, we used a reduced-round version of MD5, 
in which the last round (16 steps) is omitted. Since the attack only depends on 
properties of the first round, the reduction in rounds does not affect the analysis 
except that the query complexity is reduced from 2 47 to 2 31 . In our experiment, 
the algorithm correctly recovered the inner key bits. 

Remarks on message modification techniques. In the key recovery analy- 
sis, we use information about the collision differential paths to derive information 
about the intermediate registers. To generate useful paths, we developed a new 
message modification technique that works even when the internal hash compu- 
tation is unknown due to the presence of the secret key. 

It is worth comparing our modification techniques with Wang’s original mes- 
sage modification techniques [21,22], which deals with the situation where the 
entire hash computation is known since there is no secret for a keyless hash 
function. Note that the objective of the modification is also different for collision 
attacks and our key recovery attacks: the goal for the former is to modify mes- 
sages so that collisions can occur with high probability; the goal for the latter is 
to modify messages so that certain collisions may or may not occur, depending 
upon the value of the secret key. 

5.3 Attacks on the KDF in HMAC-MD5 

Given our related-key attacks on NMAC-MD5, an immediate question is whether 
they are applicable to HMAC-MD5. Since the difference between HMAC and 
NMAC is the extra key derivation function KDF, we analyze properties of KDF in 
HMAC-MD5, which consists of two functions of the form ki = /(/V, fc® const 
Here the MD5 compression function / is used as f(x,K), where x e {0,1} 128 
and the key K e {0,1} 512 . For ease of reference, we denote f(x,K) by 9k(x). 
So {qk}k£{ o,i} 512 is a family of functions indexed by K. 

As noted in Section 5.4 of [1], Rijmen observed that it seems possible to 
extend the pseudo-collision of MD5 [9] to a distinguishing attack on {ga}- Here, 
we describe the details of such an attack: The adversary generates 2 46 random 
pairs (x,x') such that x © x' = Z\ msb , and queries an oracle, which is either (jk or 
a truly random function. If the adversary observes a collision for any pair, then 
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it identifies the oracle as qk ; otherwise, it identifies the oracle as a truly random 
function. The complexity of the attack is 2 47 queries. 

Recall that the HMAC security proofs [1,2] require KDF to be a PRF. However, 
the above distinguishing attack implies that the KDF in HMAC-MD5 is not a 
PRF. Despite the non-pseudorandomness, its presence does help HMAC-MD5 
to resist our related-key attacks for the following reason. In order to apply the 
attacks to HMAC-MD5, we would need to set appropriate differences in the 
single key k and hope that (hi, k 2 ) = KDF (A;) would yield the required difference 
for k 2 while keeping k\ the same (see Equation (5)). However, this appears to be 
very difficult, since any differences in k would almost certainly cause differences 
in both ki and k 2 , thus making the attacks impossible. 

Of independent interest, we present a second preimage attack on gx, also 
based on [9]. Here the key K can be either secret or known. The attack works as 
follows: For a given random input x £ {0, l} 128 , the adversary sets x' such that 
a;® x' = A msb , and outputs x' as a second preimage of x. The success probability 
is about 2 -48 , since the probability that x satisfies Equation (4) is 2 -2 , and the 
probability that the pair ( x , x') then follows the differential path to produce a 
collision is 2“ 46 (meaning x' is a second preimage of x). Hence, the above attack 
requires 0(1) workload, no queries, and succeeds with probability 2 -48 , which 
is much higher than the 2 ~ 128 theoretical bound. 

6 Attacks on HMAC/NMAC with Other Hash Functions 

The basis for our attacks on NMAC-MD5 is a collision differential path for the 
keyed MD5 compression function that holds with relatively large probability. The 
same ideas and techniques also apply to other underlying hash functions such 
as MD4, SHA-0, and reduced SHA-1. In this section, we present three types of 
attacks on HMAC and NMAC for these underlying hash functions, all in the 
standard setting. 

6.1 Attacks on HMAC /NMAC-MD4 

MD4 has long been known to be insecure, but it was an open question whether 
HMAC-MD4 can still be used as a PRF or a secure MAC. We answer the question 
in the negative by presenting attacks on HMAC/NMAC-MD4. 

Our attacks are based upon the second preimage attack on MD4 by Yu et 
al. [25]. Table 3 of [25] gives a differential path that leads to a collision with 
probability 2 -62 . The details that are most relevant to our attacks are the mes- 
sage difference: there is only a one-bit difference in one of the message words, 
namely, m4 ® m' 4 = 2®, and the path holds for any i (0 < i < 32), for a total 
of 32 possible paths. Given the paths, we can mount a distinguishing attack on 
the keyed MD4 compression function, implying that the function is not a PRF. 

For our distinguish attack on HMAC-MD4, there is only a single oracle O, 
which can be either HMAC* or a truly random function. The adversary generates 
about 2 62 message pairs (m, m') such that TO4 ® m' 4 = 2® for some i. queries the 
oracle, and observes whether a collision O(m) = 0(m') occurs. If so, it identifies 
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the oracle as HMAC; otherwise, it identifies it as a truly random function. The 
expected query complexity is 2 63 , and the success probability is one. From the 
collision, a forgery attack easily follows (similar to Section 5.1) which requires 
an additional chosen query. 

We can reduce the query complexity to 2 58 by using a structure, which is a 
common trick in differential cryptanalysis. The idea is to take advantage of the 
multiple differential paths by generating input pairs ( m , m!) in a more compact 
way as follows: First, generate 2 26 random m3 (it can actually be any message 
word rrij as long as j ^4). Second, for each m3, generate all 2 32 possible values 
for m 4. Hence, the total number of messages is 2 58 . It is easy to show that the 
2 58 messages collectively create 2 62 pairs of (m, m') for which 7714 ® rn' 4 = 2* for 
some i. One of the pairs is expected to produce a collision. 

We can construct a partial key recovery attack on HMAC-MD4 following 
similar phases as that of NMAC-MD5. Given the form of the 32 differential 
paths and their associated conditions, it is better to use only one path (i = 22) 
for key recovery. Our analysis shows that the query complexity is roughly 2 63 
and the remaining computation is order 2 40 MD4 operations. 

6.2 Attacks on HMAC /NMAC-SHAO 

Chabaud and Joux [10] presented the first collision attack on SHA-0 with com- 
plexity 2 61 . Their analysis also introduced important concepts such as local 
collisions and disturbance vectors, which prove to be the basis for all subsequent 
attacks on SHA-0 and SHA-1. The differential path used in their attack holds 
with probability p = 2 -83 (see Table 4 in [10] for detailed calculation). We can 
use the differential path to construct distinguish and forgery attack on HMAC- 
SHAO with query complexity 2 84 . One subtle issue for SHA-0 (and SHA-1) is 
that we should generate message pairs so that they not only satisfy the required 
message difference but also extra conditions on certain message bits. 

A partial key recovery attack on HMAC-SHAO can also be constructed. In 
fact, the analysis would be much simpler than that of NMAC-MD5 due to 
the particular form of the SHA-0 (and SHA-1) step function, which is A, = 
(Aj_i<«5) + /j(Bj_i, Ci_i, A-i) + Ei-i + rrii-i + hi. Since there is no rotation 
associated with the message word, we can use the bit flipping algorithm directly 
(rather than the modified version) to recover the register A,. Our analysis shows 
that the query complexity is about 2 84 , and the time complexity is about 2 60 . 

6.3 Attacks on Reduced- Round Variants of HMAC/NMAC-SHA1 

Biham et al. [7] presented collision attacks on several reduced-round variants of 
SHA-1. Their attack on 34-round SHA-1 used a disturbance vector with very 
low Hamming weight (see Table 1 of [7]). Based on this vector, we calculated 
the probability of the differential path to be 2 -33 , and it holds for half of the 
randomly chosen IVs. This path implies that 34-round SHA-1 is not a PRF. 
Using our techniques developed earlier, we can construct all three types of attacks 
on HMAC-SHA1 when the inner function is reduced to 34 rounds. The query 
complexity is about 2 34 and the success probability is 1/2 for a random key. 



50 


S. Contini and Y.L. Yin 


6.4 Further Improvements 

It is possible to further improve the complexity of our attacks. Krawczyk [16] 
pointed out a useful tradeoff between query complexity and the success prob- 
ability of the attacks. More specifically, we can construct new attacks with 2 f 
queries and success probability 2 t ~ q , where 2 q is the number of queries in our 
original attacks and 1 < t < q. Biham [6] suggested that attacks on HMAC can 
be extended to 40-round SHA-1 using results in [7]. 

7 A General Framework for Analyzing HMAC/NMAC 

In this section we extend the approach in our attacks to provide a general frame- 
work for analyzing HMAC/NMAC. Let DP be a collision differential path for the 
compression function /, and let A = ( Acv , Am) be the required input difference 
for the path. Suppose that the path holds with probability at least Po = 2~ w 
for a fraction q of all randomly chosen inputs (cv, cv') and (m, m') satisfying A. 
We consider two cases depending on Acv: 

— Acv = 0. In this case, the path DP yields a real collision. The attacks to be 
considered are in the standard setting and apply to both HMAC and NMAC. 

— Acv 7^ 0. In this case, the path DP yields a pseudo-collision. The attacks to 
be considered are in the related-key setting and apply only to NMAC. 

There are three types of possible attacks, all having success probability q. 

1. Distinguishing attack. The complexity is about 0(2 W+1 ) queries. 

2. Forgery attack. If the hash function F is iterative, the distinguishing attack 
implies a forgery attack with one additional chosen query. 

3. Key recovery attack. If F has similar step functions as MDx, the collision 
path may allow the recovery of the inner key in HMAC and NMAC. The 
query complexity is 0(2 W+1 ), and the time complexity depends on the form 
of the collision path. 

To beat the generic birthday-type forgery attack, we need to find a collision 
differential path such that Po > 2 _n / 2 , and to beat the exhaustive key search 
attack, we need Po > 2 -n . Hence, the above general framework reduces the 
problem of attacking HMAC/NMAC to the problem of finding a “good” collision 
differential path for the underlying compression function. 

Finding suitable differential paths. There have been many collision attacks 
on hash functions, each relying on a specific differential path. One important 
point is that a differential path that works best for finding collisions may not 
be the best for the purpose of attacking HMAC and NMAC. To better explain 
this, we introduce a variable P r , which is the probability of the differential path 
from Step r to the last step. 

— For collision attacks, we should select a path such that P r is minimized, 
assuming message modification techniques can apply up to Step r-1 of the 
hash function. 

— For attacks on HMAC and NMAC, we should select a path such that Po is 
minimized. 
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For example, for the purpose of analyzing HMAC-SHAO, Chabaud and Joux’s 
attack offers a better differential path than the improved collision attack in [23] , 
since the probability Po associated with the differential path in the former attack 
is much larger than the latter. 

To break HMAC-MD5, we would need to find differential paths that hold with 
large enough probability Po and lead to real collisions. The differential path in 
Wang’s MD5 attack [21] was constructed to minimize Pn (« 2 -37 ) so that it 
works best with modification techniques. The total probability Po of the path 
is only about 2 -300 . So far, improvements to the MD5 attack were all due to 
refined modification techniques: nobody has discovered new differential paths. 
An open question is whether differential paths for MD5 with Po > 2“ 128 can be 
found. New automated search methods may provide promising ways for finding 
such differential paths. 
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A The Bit Flipping Algorithms 

We first give the bit flipping algorithm in Figure 1. This is for the simplified 
MD5 step function where the rotation is eliminated. 

For j = 0, . . . , i — 1 , set nij = rrij 
Set d = 0 (a) 

For * = 30 downto 0 do (b) 

{ 

Set TO( = m t + 2* + d (c) 

Repeat order 2 46_t times 

{ 

Choose TOj , j , . . . , mf 5 at random. 

/* now all 16 words of m* have been set */ 

Query the two nmac oracles on m* 

If there is a collision, then 

{ 

Bit i of B t+ i is 0 
Set d = d + 2* (d) 

break; 

} 

} 

If no collision found, then bit i of B t+ 1 is 1 

} 

Fig. 1. Bit flipping algorithm for computing B t + i 
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The modified bit flipping algorithm is similar, except the following four steps: 

- Step (a) => Set d! = 0 

- Step (b) => For %' = 30 — St downto 0 do 

- Step (c) => Set m* t = m t T 2* + d! 

- Step (d) => Set d! = d! + 2 l ' 
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Abstract. We propose a new type of guess-and-determine attack on 
the self-shrinking generator (SSG). The inherent flexibility of the new 
attack enables us to deal with different attack conditions and require- 
ments smoothly. For the SSG with a length L LFSR of arbitrary form, 
our attack can reliably restore the initial state with time complexity 
O(2 0 556L ), memory complexity 0(L 2 ) from 0(2° 161I ')-bit keystream for 
L > 100 and time complexity O(2 0 571L ), memory complexity 0(L 2 ) 
from O(2 0 194L )-bit keystream for L < 100. Therefore, our attack is bet- 
ter than all the previously known attacks on the SSG and especially, it 
compares favorably with the time/memory/data tradeoff attack which 
typically has time complexity O(2 0 ' 5i ), memory complexity O(2 05L ) 
and data complexity 0( 2°' 25I, )-bit keystream after a pre-computation 
phase of complexity O(2 0 ’ 75L ). It is well-known that one of the open re- 
search problems in stream ciphers specified by the European STORK 
(Strategic Roadmap for Crypto) project is to find an attack on the 
self-shrinking generator with complexity lower than that of a generic 
time/memory/data tradeoff attack. Our result is the best answer to this 
problem known so far. 

Keywords: Stream cipher, Self-shrinking, Guess-and-determine, Linear 
feedback shift register (LFSR). 


1 Introduction 

The self-shrinking generator is an elegant keystream generator proposed by W. 
Meier and O. Staffelbach at EUROCRYPT’94 [22]. It applies the shrinking idea 
[7] to only one maximal length LFSR and generates the keystream according 
to the following rule: let a = oo, oi, . . . be a binary sequence produced by the 
LFSR, consider the bit pair (aj,a,+i), if a* = 1, output a, +1 as a keystream 
bit, otherwise no output is produced. It is suggested in [22] that the key of the 
SSG consists of the initial state of the LFSR and (preferably) also of the LFSR 

* Supported by the National Natural Science Foundation of China (Grant No. 
90604036, 60373047) and the National Grand Fundamental Research 973 program 
of China (Grant No. 2004CB318004). 
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feedback logic. As in other articles, e.g. [18,26,31,3], we assume that the primitive 
feedback polynomial is known to the attacker. 

Although many LFSR based stream ciphers are found vulnerable to (fast) 
correlation attacks [4,5,14,15,16,23,24,25] and algebraic attacks [1,2, 8, 9], the self- 
shrinking generator has shown remarkable resistance against such cryptanalysis. 
For a length L LFSR, the previously known best concrete attack is the BDD 
attack in [18], which has time complexity O(2 0fmL ) at the expense of 0(2°' 656L ) 
memory from [2.41 • L\ bits keystream. One of the open research problems in 
stream ciphers specified by the STORK (Strategic Roadmap for Crypto) project 
[29] is to find an attack on the self-shrinking generator with complexity lower 
than that of a generic time/memory /data (TMD) tradeoff attack, which typically 
has time complexity O(2 0 ' 5L ), memory complexity O(2 0 - 5i ) by using O(2 0/25L )- 
bit keystream after a pre-computation phase of complexity O(2 0 75L ). 

In [22], a simple method of reducing the key space is introduced and the en- 
tropy leakage analysis shows that the average key space of the self-shrinking 
generator is O(2 0 75L ). A faster cryptanalysis of the SSG is proposed by Mihal- 
jevic in [26] with time complexity varying from 0(2° 5L ) to O(2 0 75L ) and the 
required keystream length ranging from 2 0 5L to 2 0/25L accordingly. To get the 
best complexity estimation O(2 0 5L ), the intercepted keystream length must be 
greater than L / 2 • 2 L / 2 , which is beyond the realistic scope for large value of L. 
In [31], a search tree algorithm is presented to restore an equivalent state of the 
LFSR from a short segment of the keystream with time complexity O(2 0 - 694i ). 
However, the main bottleneck of the attacks in [31,18] is their unrealistically 
large requirement of memory. Since the self-shrinking generator uses only one 
LFSR, the method of reducing the memory complexity in [17] is inapplicable. 
In 2003, P. Ekdahl et al. showed that certain week feedback polynomials allow 
very efficient distinguishing attacks on the SSG [10]. Except for these concrete 
attacks, there is a general time/memory/data tradeoff attack [3] applicable to all 
stream ciphers in theory. This kind of attack should be taken into consideration 
especially when a technique called BSW sampling [3] is applicable to the cipher 
system. It is known that the sampling resistance of the self-shrinking generator 
is 2 -i / 4 , thus the reduced search space is O(2 0 - 75L ). However, such an attack 
always has a time-consuming preprocessing phase and requires large amount of 
memory, which are usually impossible for individual cryptanalysts. 

In this paper, we propose a new type of guess-and-determine attack on the 
self-shrinking generator. The large flexibility inherent in the new attack enables 
us to handle different attack conditions and requirements smoothly. It has no 
restriction on the form of the LFSR and can reliably recover the initial state 
of the LFSR with time complexity O(2 0 556i ), memory complexity 0(L 2 ) from 
0(2°’ 161L )-bit keystream for L > 100 and time complexity O(2 0571L ), mem- 
ory complexity 0(L 2 ) from O(2 0 194L )-bit keystream for L < 100. Compared 
with the general time/memory/data tradeoff attack, our attack avoids the time- 
consumptive pre-computation phase and the large memory requirement in the 
TMD attack, while without a substantial compromise of the real processing 
complexity. Comparisons with other known attacks against the self-shrinking 
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generator show that our attack offers the best tradeoff between the complexi- 
ties (time, memory and pre-computation) and the required keystream length. 
Therefore, our result is the best answer to the open problem in STORK project 
known so far. 

The rest of this paper is organized as follows. We present a detailed description 
of our attack in Section 2 with theoretical analysis. In Section 3, experimental 
results to verify the feasibility of our attack and comprehensive comparisons 
with the previously known attacks on the self-shrinking generator are provided. 
Finally, some conclusions are given in Section 4. 

2 Our Attack 

The aim of our attack is to restore the initial state or an equivalent initial state 
of the LFSR used in the self-shrinking generator from a keystream segment of 
realistic length. We first state some basic facts on the self-shrinking generator 
and on the underlying maximal length sequences, then the guess-and-determine 
attack is presented in detail followed by the theoretical complexity analysis. 

2.1 Basic Facts 

Let a = ao, aq, . . . be the maximal length sequence produced by LFSR A used 
in the self-shrinking generator and 2 = zo,Zi,. . . be the keystream. First note 
that the two decimated sequences ao> a 2, • • • , an, ■ ■ ■ and 01, 03, . . . , 02»+i) • • • are 
shift equivalent to the original sequence a [13]. They share the same feedback 
polynomial as that of sequence a and differ only by some shift. The following 
lemma determines the shift value between sequence {a 2 i} and {a2i+i}. 

Lemma 1. Let a = ao, ai, . . . be a binary maximal length sequence produced by 
a LFSR of length L, then the shift value r between the two decimated sequences 
c = {a2i} and b = {a2*+i} is 2 L ~ 1 , i.e. for each integer i>0,bi = c i+2 L~ i- 

Proof. It suffices to note that Cj +2 i.-i = a 2 .(i+2 1 — 1 ) = a 2i+2 L = a 2i+\+2 L -i = 
a 2 i+i = h . 

Lemma 1 shows the exact shift value between {a 2 i} and {a2i+i }, which will 
facilitate the determination of the relationship between them. Keep the notations 
as above, we have the following lemma. 

Lemma 2 . Let f(x) = 1 + c\x + c 2 x 2 + ■ ■ ■ + cl- \x l_1 + x L be the primi- 
tive feedback polynomial of LFSR A over GF( 2), i.e. for each i > 0, a * + l = 
Xq=i c j a i+L-j, where cl = 1, then there exists a polynomial h(x) = 
such that h(x) = x T mod f*{x), where f*(x) is the reciprocal polynomial of f(x) 
and t = 2 l_1 is the shift value between c = {a 2 i} and b = {a2i+i}. Besides, the 
polynomial h(x) can be efficiently computed as illustrated below for very large 
value of L. 
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Proof. The former part of this lemma is a straightforward conclusion according 
to the theory of maximal sequences [13]. It reveals that 

f l - i 

bi = a2i+i = hjCi+j = hja,2(i+j), (1) 

j = o j = o 

i.e. each bi is a linear combination of some c*. 

We follow the following recursive procedures to compute h{x). More pre- 
cisely, the linear coefficients hj can be determined by recursively computing 
x l iaod f*(x) = x(x l ~ 1 mod f*(x)) mod f*(x) for moderately large L. For very 
large value of L, this can be fulfilled by the combination of the recursive proce- 
dure with the following small step strategy, i.e. we first determine a set of values 
{ri, • • • , r t } such that 

x 2 mod f*(x ) = 2^=1 r ^mod f*(x) = ((a; Tl mod f*(x)) T2 ■ ■ ■ ) Tt mod f*(x), 

where n! = i r t = 2 L_1 and each tj is chosen so that x T] mod }"*(x) can be 
computed efficiently by the available method such as the Square-and-Multiply 
method [20] in rational time. Hence, the linear coefficients hj can be computed 
in an acceptable time for very large L in this way. 

Table 1 lists the corresponding h(x), obtained by the above combination 
method, of some primitive polynomials of length up to 300. Here we use t, = 2 10 
for i = 1, • • • , \{L - 1)/10] - 1 and r r(i _ 1)/101 = 2 Z '- 1 - 10 (rC^- 1 )/ 10 ! - 1 ) so that 
even x 2,299 mod f*(x) with f(x) being a primitive polynomial of degree 300 can 
be computed in about one hour on a Pentium 4 Processor. This completes the 
proof. 

Lemma 2 shows that compared with the real attack complexity O(2 0 556L ) or 
0(2°" 571L ], the complexity of computing the linear relationship between {a 2 i} 
and {a. 2 i+\} is negligible. The overall complexity of our attack is dominated by 
the complexity of the guess-and-determine algorithm given below. 

2.2 The Guess-and-Determine Algorithm 

The basic idea of a guess-and-determine attack on a stream cipher is to guess 
some bits of the internal state and derive other bits of the internal state through 
the relationship between the keystream bits and the internal state bits introduced 
by the keystream generation process. The validity of a guessed and determined 
internal state is checked by running the cipher forward from that state. If the 
generated keystream matches the intercepted keystream, we accept it. Otherwise, 
we discard the current candidate and try the attack again to get new state 
candidates. 

Oppositely to the methods in other articles, here we do not directly apply the 
guess-and-determine idea to sequence {a,;}. Instead we consider the decimated 
sequence {a 2 i}. With the knowledge of {a-ii}, {ch} can be easily recovered from 
simple linear algebra. 
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Table 1. Computational results of h(x) on a Pentium 4 processor using Mathematica 
with the above combination method 
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More precisely, to attack a self-shrinking generator, we first guess a Z-bit length 
segment 

1 = (oo, 02* • • • > «2(t i>) (2) 

of the initial state (ao,a 2 ,--- , a 2 (L_i)) of i a 2 i}, as shown in Figure T, thus 
there are L — l bits (black points in Figure 1) of the initial state left unknown. 
Let Wh(-) be the hamming weight of the corresponding vector, then from the 
guessed segment, we can get Wh ( A ^ 1 ) linear equations on the remaining L — l 
bits via the shift structure (illustrated by arrowhead in Figure 1). For example, 
if a 2l — i (0 < i < l — 1), then we have 

bi = a 2i+ i = ^ hja 2 (i+j) = ^ hja 2 ( i+ j) + ^ h J -a 2 (i+ji = a2i , (3) 

j=o j= o #4 

where h(x) = bjx^ is the polynomial satisfying h{x) = x 2L 1 mod f*(x) 

found by Lemma 2. Note that the partial sum X^=o bj a 2 (i+j) in (3) is a known 

0 I 2 ?L/2?I-1 I - II L-l i 

a 2i o o o jo s o j • • • • ! 

a 4 r I j ▼ ; 

Fig. 1. Guess-and-determine process 

parameter because we guessed the value of (ao,a 2 ,--- ,a 2 (i-i)), thus (3) is a 
linear equation on L — l variables (a 2 i, • • • , a 2 (i,_i)). Once there is a bit a 2 i = 1 
for 0 < i < l — 1, we will have one linear equation on (a 2 i, • • • , a 2 (L-i))- Our 
observation is that the more 1 in the guessed segment Aq - 1 , the more linear 
equations on the remaining L — l bits we can get. The extreme case is that if 
(aO) o 2 > • • • » a 2 (t-i)) — (1, 1, • • • , 1), then we will have l linear equations on L — l 
variables. In order to get an efficient attack, here we do not exhaustively search 
over all the possible values of A 1 ^ 1 . Instead, we just search over those possible 
values of A q - 1 satisfying (without loss of generality, we assume ao = 1) 

W U (K > [a • L], (4) 

where [x] gives the smallest integer greater than or equal to x and a (0.5 < a < 
1) is a parameter to be determined later. Hence, we can get at least \a ■ l] linear 
equations on the remaining L — l bits by this method. 

Now a crucial question arises naturally, i.e. how about the linear dependency 
of these linear equations? Fortunately, from the initial state (ao, a 2 , - ■ ■ , a 2 (L-i)) 
of {a 2 i}, we have 


(ao, • • • , a 2 (z,_i), a 2 L, • • • , a 2 (jv-i)) = («o, a 2 , • • • , a 2 ( i _ 1 )) • G, 
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where N is the length of sequence {« 2 ,;} under consideration and G is a L x N 
matrix over GF( 2): 

/ 9o 9°! ■■■9%- 1\ 

G _ 9o 9i ■■■ 9 n- i 

\9o 1 9i 1 ‘ ‘ ‘ 9n - i / 

i.e. each a- 2 ,; is a linear combination of (ao, 02 , • • • , « 2 (l-i))- Since for each i > 0, 
fl 2 i+i = (t‘ 2 i+ 2 L -' > the column vectors r/,; = {g],g}-, ■ ■ ■ ,g f _1 ) T corresponding 
to the bits selected in (ai, 03, • • • , ( 121 - 1 ) according to the pattern of ( 0 , 0 , 0 . 2 , • • • 
><* 2 ( 1 - 1 )) can be regarded as random vectors over GF( 2) L . Thus, this holds also 
for the truncated versions of gi over GF( 2) L ~ l which form the coefficient matrix 
on the remaining L — l unknown bits. The following lemma guarantees that the 
matrix formed by the truncated random column vectors always has the rank 
close to its maximum. 

Lemma 3. ([30]) The probability that a random, generated mxn binary matrix 
has rank r (1 < r < min(m, n )) is 


P r = 2 r(m 


n 


(1 — 2 a ~ m )(l — 2 Z ~ 


Although we can sometimes get more than [ al] linear equations by the above 
searching method, we only use the lower bound \al] in the estimation of the 
linear independent equations and let \a • l] = L — l. The reason for doing so is 
to derive the worst case complexity of our guess-and-determine algorithm in the 
Section 2.3. By lemma 3, the probability that a random generated \al ] x ( L — l ) 
binary matrix has rank r > \al) — 5 is 


P(r>\al]- 5)= ]T 2-' 

r=\ocl~\ —5 


n- 


Simulation results show that P(r > [aZ] — 5) > 0.99 for L < 1500, i.e. the linear 
equations we get are almost linear independent. We can compensate the linear 
dependency of the linear system by an exhaustive search at a small scale. 

The entire description of the guess-and-determine attack (algorithm A) is as 
follows (in C-like notation). 

— Parameter: a, L 

— Input: keystream feedback polynomial f(x) 

— Processing: 

1. Apply the combination strategy illustrated in Section 2.1 to compute x 2L 

mod where f*{x) is the reciprocal polynomial of f(x) 

2. for all Z-bit segment Aq - 1 satisfying (4) do 

• for k = 0 to l — 1 do 
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* if a 2 k = 1 then 

Using h( x) obtained in step 1 and f(x), derive a linear expression 
on the remaining bits in Af _1 = ( a,2i , ••• i« 2 (l-i)) and store the 
expression in matrix U 

end if 
end for 

• for j = 0 to TV — 1 — \a • f| do 

(a) Check the linear consistency [32] of the linear system using keystream 
indexed from Zj 

(b) if the linear consistency test is OK then 

* Solve the linear system in U according to the keystream indexed 
from Zj to get a state candidate (a' 0 , a' 2 , ■ ■ ■ , a' 2 ( L _ i>) or a small list 
of candidates 

* for each candidate state do 

i. Run the SSG forward from the candidate state and check the 
generated keystreams with {zj}^ 1 

ii. if the correlation test is OK then 
Output that candidate and break the loop 
else continue 

end if 
end for 
else continue 
end if 
end for 
end for 

— Output: the initial state or an equivalent state (ao,a, 2 , ■ ■ • , « 2 (l-i )) 

Here the for loop works in the same way as in C language. Assume we start with 
the keystream {zj}^ k 1 . We first derive the linear expressions as in (3) from the 
guessed segment Aq , then associate them with the keystream indexed from zq 
and test the linear consistency of the resulting system. If the test fails, then try 
the keystream indexed from z\, indexed from z 2 , . . . , and so on. If we cannot get 
a consistent linear system based on the keystream in hand, discard the current 
guess of Aq - 1 and try another guess to restart. If we find it, solve the system 
to get a candidate state (a' 0 , a 2 . ■ ■ ■ , or a sma ll list of candidate states. 

Run the self-shrinking generator forward from each candidate state and generate 
the corresponding keystream. If the generated keystream does not match the 
intercepted keystream, discard that candidate and try another one. If all the 
candidates failed to find a match, then try another guess of A\f ~ 1 to restart 
the above whole process. If enough keystream is available, we expect to find the 
initial state (or an equivalent state) corresponding to the intercepted keystream 
with high success probability. 

2.3 Complexity Analysis 

Now we analyze the time, memory and data complexity of the algorithm A. We 
first establish the basic equation of our attack. Then, the corresponding time, 
memory and data complexity are derived in the most general case, respectively. 
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Finally, we discuss the success rate of the algorithm A and point out the optimal 
choices of the attack parameters. 

From algorithm A, to cover the L — l unknown bits by 0(a ■ l ) linear inde- 
pendent equations, we let 

0(a-l) = L-l =► 1 = 0(j^- • L) . (7) 

Since we just want to derive the magnitude, here we ignore the possible small 
number of linear dependent equations. 

In algorithm A, we only search over those possible values of Aq _ 1 that satisfy 
(4). Let H = {A 1 ^ 1 | [al~\ < Wh^ 1 ) < l and a 0 = 1}, then 



where | • | denotes the cardinality of a set. The proportion between the /-bit 
values contained in \H\ and all the 2 l possible values is we rewrite it as 


( j ) _ 

2 l 2 l 

where (3 is a parameter determined by a and /. From (8), we have 


(8) 


P = 



(9) 


Combining with (7), we have a function fi = /3(a, L), as shown in Figure 2. It is 
worth noting that (3 decreases with a increasing. 



Fig. 2. (3 as a function of a and the LFSR length L 


For the algorithm A to succeed, we must find at least one match pair between 
the state set H and the keystream segments involved in algorithm A. Assume 
sequence {a*} is purely random (consisting of independent and uniformly dis- 
tributed binary random variables), thus the keystream length N should satisfy 
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(n — l ) ■ ]r ( l > i, 

i=\cd 1-1 V * y 2 

i.e. 

” > m = w = 2 <1 ~ w, '~ 1 => " ~ ■ (W) 

2^i=[aJl-l l i J 

Algorithm A searches over the state set H and at each iteration, it checks along 
the keystream {zi}^^ 1 to find the suited segment. Therefore, the worst case 
time complexity is 

0{N - L) ■ 0{2< 31 ) = 0{2^h L ) . (11) 

The following theorem summarizes the above results. 

Theorem 1. Keep the notations as above. The guess-and-determine algorithm 
A in section 2.2 has time complexity 0(L 3 ■ 2 T +“’ L ), memory complexity 0(L 2 ) 
and data complexity 0( 2 T +^' L ), where L is the length of the LFSR used in the 
SSG, 0.5 < a < 1, P is a parameter determined by a and L. 

Proof. For the time complexity, note (11) and that in each iteration of algorithm 
A, we have to check the linear consistency of the linear system and then solve it. 
This contributes the L ?J factor to time complexity. For the memory complexity, 
it suffices to note that in the algorithm A, we only need to store the matrix U 
corresponding to the current guess of Aq _ 1 and the memory usage in step 2 is 
dominating. The data complexity follows (10). 

Corollary 1. Keep the notations as those in Theorem 1 and under the above 
complexities, the success probability of algorithm A is 

Psucc = 1 - (1 - 2 • , 

where N is the length of the keystream used in the attack. 

Proof. It suffices to note that in algorithm A, we totally check N — L keystream 
segments and each segment matches to a state in H with probability 2 • 2 _ t+^ l . 

To get the optimal performance of our attack, we should optimize the parameters 
a and (3 of the algorithm A. Table 2 lists the asymptotic time, memory and data 
complexities corresponding to the different choices of a with the LFSR length 
L > 100. It is worth noting that the values of (i are just approximations. In a real 
attack, we recommend using (7) and (9) to compute the more accurate values. 
(In Table 2, 3 and 4, we ignore the polynomial factors in the corresponding 
time complexities of these attacks, e.g. for the attack in [31], this factor is L 4 
and for the BDD-based attack in [18], this factor is L °^). To beat the general 
time/memory/data tradeoff attack, we recommend using a = 0.8. Accordingly, 
the asymptotic time, memory and data complexities are 0( 2 0 - 556 - L ), 0(L 2 ) and 
0(2°' 161i ), respectively. 
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Table 2. The asymptotic time, memory and data complexities of algorithm A corre- 
sponding to different choices of a (L > 100) 


| a | 0 | Time | Memory | Data ~| 


0.5 

0.99 

0 ( 2 u.bb7n) 

om 

0(2 UUU7L ) 

0.6 

0.96 

0(2—) 

~o{l T 

0(2— ) 

0.75 

0.80 

0(2—) 

0{L ') 

0(2—) 

0.8 

0.71 

0(2”) 

0{L‘) 

0(2—) 

0.9 

0.46 

0(2°- “ 6i ) 

O(L') 

0(2—) 

1.0 

0.00 

0(2—) 

om 

0(2—) 


Table 3. The time, memory and data complexities of algorithm A corresponding to 
different choices of a (40 < L < 100) 


| a | P | Time | Memory | Data | 


0.5 

0.93 

0(2—) 

om 

0( 2— 71 ') 

0.6 

0.88 

0(2—) 

om 

0(2—) 

0.75 

0.66 

0(2—) 

om 

0(2—) 

0.8 

0.57 

0(2”) 

om 

0(2—) 

0.9 

0.36 

0(2”) 

om 

0(2—) 

1.0 

0.00 

0(2—) 

om 

0( 2 u m 


Note that the values listed in Table 2 are asymptotic. For 40 < L < 100, 
the corresponding values are listed in Table 3.To beat the TMD attack with 
40 < L < 100, we recommend using a = 0.75 or a = 0.8. In both cases, the 
corresponding memory and data complexities are better than those of the TMD 
attack, while without a substantial compromise of the time complexity. 

3 Comparisons and Experimental Results 

We first present a detailed comparison with some other well-known attacks 
against the self-shrinking generator. Then, a number of experimental results 
are provided to verify the actual performance of the new attack. The advantages 
of our attack are pointed out at the end of this section. 

3.1 Comparisons with Other Attacks 

We mainly focus on the following attacks against the self-shrinking generator, 
i.e. the Mihaljevic’s attack in [26], the search tree attack in [31], the BDD- 
based attack in [18] and the time/memory/data tradeoff attack in [3]. Table 4 
summarizes the corresponding results. 

We can see from Table 4 that our attack achieves the best tradeoff between 
the time, memory, data and pre-computation complexities. More precisely, The 
attack in [26] suffers from the large amount of the keystream, which reaches 
0(2°- 5L ) to obtain the best time complexity 0(2°- 5i ). Both the search tree attack 
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Table 4. Asymptotic complexity comparisons with some other well-known attacks 
against the self-shrinking generator with the LFSR of length L 


Attack 

Pre-computation 

Time 

Memory 

Data 


26] A 


0(2 — ) 

O(L) 

0(2—) 


26] B 


0(2—) 

O(L) 

0(2—) 


31] 


0(2°— ) 

0(2—) 

O(L) 


18] 


0(2—) 

0(2”) 

O(L) 

[3JA 

0(2 u,oL ) 

0(2—) 

0(2—) 

0(2 U — ) 

[3]B 

0(2—) 

0{ 2 uo ' L ) 

0(2—) 

0(2—") 

Ours (a = 0.5) 


o[ 2™7 

0{L Z ) 

o( 2 nTW7r y 

Ours (a = 0.75) 


0(2—) 

O(L') 

0(2—) 

Ours (a = 0.8) 


0(2 ) 

O(L') 

0(2 ulel ") 


in [31] and the BDD-based attack in [18] are unrealistic in terms of the memory 
requirement. In addition, the data complexity of our attack with a = 0.5 are 
in the same order as those in [31] and [18] for the LFSR length L up to 2000. 
The two typical TMD attacks are derived according to the two points T = TV 2 / 3 , 
M = D = N 1 / 3 and T = M = N 1 / 2 , D = N V 4 on the curve TM 2 D 2 = N 2 with 
pre-computation P = N/D, where T, M, D, N denote time, memory, data and 
search key space, respectively. Even regardless of the heavy pre-computation 
phase of the TMD attack, our attack with a = 0.8 has much better memory 
and data complexity compared with the two TMD attacks, while without a 
substantial compromise of the real time complexity. 

On the other hand, our attack can deal with different attack conditions and re- 
quirements smoothly due to the flexible choices of a. If only very short keystream 
and very limited disk space are available to the attacker, we still can launch a 
guess-and-determine attack successfully against the SSG with a < 0.6. In this 
way, we avoid the large memory requirement of the two attacks in [31] and [18] . 


3.2 Experimental Results 

We made a number of experimental results in C language on a Pentium 4 pro- 
cessor to check the actual performance of our attack. 

Since the guess-and-determine attack in Section 2.2 has no restriction on the 
LFSR form, it has been implemented and tested many times for random chosen 
initial states and primitive polynomials of degree 10 < L < 50 involved in 
the self-shrinking generator. For 10 < L < 40, we use a = 0.6 to mount the 
attack on the self-shrinking generator. For 40 < L < 50, we use a = 0.8. The 
results are rather satisfactory. The required keystream length are very close to 
the theoretical value in magnitude and the time complexity seems to be upper 
bounded by the theoretical value, which is just in expectation. 

For example, let the LFSR’s feedback polynomial be f(x) = 1 + x 2 + a: 19 + 
x 21 + a; 40 , then the shift value is a: 239 mod f*(x) = x^ + x^+x 30 , where f*(x) is 
the reciprocal polynomial of f(x). For a random chosen initial state, our attack 
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takes several minutes to recover the initial state or an equivalent state with 
success rate (see Table 3 and Corollary 1) 

1 _ (i _ 2 . 2 - ( 1-0 ' 88 )' 40 /( 1 +°- 6 ))( 200-40 ) > 0.99 


from 200 bits keystream. 

As a summary, our attack has at least the following advantages over the past 
relevant attacks against the self-shrinking generator: 

— significantly smaller memory complexity with the time complexity quite close 
to 0(2°- 5L ). 

— no pre-computation or if like (pre-compute h(x)), significantly smaller pre- 
processing time complexity without a compromise of the real attack com- 
plexity. 

— flexibility to different attack conditions and requirements 

These features guarantee that the proposed guess-and-determine attack can pro- 
vide a better tradeoff between the time, memory and data complexities than all 
the previously known attacks against the self-shrinking generator. Especially, it 
compares favorably with the general time/memory/data tradeoff attack. Thus, 
our attack is the best answer known so far to a well-known open problem spec- 
ified by the European STORK project. 

4 Conclusions 

In this paper, we proposed a new type of guess-and-determine attack on the self- 
shrinking generator. The new attack adapts well to different attack conditions 
and enables us to analyze the self-shrinking generator with the best tradeoff 
between the time, memory, data and pre-computation complexities known so far. 
So our result is the best answer to the corresponding open problem in STORK 
project known so far. 


Acknowledgements. We would like to thank one of the anonymous reviewers 
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Abstract. Stream ciphers play an important role in symmetric cryptol- 
ogy because of their suitability in high speed applications where block 
ciphers fall short. A large number of fast stream ciphers or pseudoran- 
dom bit generators (PRBG’s) can be found in the literature that are 
based on arrays and simple operations such as modular additions, ro- 
tations and memory accesses (e.g. RC4, RC4A, Py, Py6, ISAAC etc.). 
This paper investigates the security of array-based stream ciphers (or 
PRBG’s) against certain types of distinguishing attacks in a unified way. 
We argue, counter-intuitively, that the most useful characteristic of an 
array, namely, the association of array-elements with unique indices, may 
turn out to be the origins of distinguishing attacks if adequate caution 
is not maintained. In short, an adversary may attack a cipher simply ex- 
ploiting the dependence of array-elements on the corresponding indices. 
Most importantly, the weaknesses are not eliminated even if the indices 
and the array-elements are made to follow uniform distributions sepa- 
rately. Exploiting these weaknesses we build distinguishing attacks with 
reasonable advantage on five recent stream ciphers (or PRBG’s), namely, 
Py6 (2005, Biham et al . ) , IA, ISAAC (1996, Jenkins Jr.), NGG, GGHN 
(2005, Gong et al.) with data complexities 2 68 ' 61 , 2 32 ' 89 , 2 16 ' 89 , 2 32 ' 89 and 
2 32 ' 89 respectively. In all the cases we worked under the assumption that 
the key-setup algorithms of the ciphers produced uniformly distributed 
internal states. We only investigated the mixing of bits in the keystream 
generation algorithms. In hindsight, we also observe that the previous 
attacks on the other array-based stream ciphers (e.g. Py, etc.), can also 
be explained in the general framework developed in this paper. We hope 
that our analyses will be useful in the evaluation of the security of stream 
ciphers based on arrays and modular addition. 


1 Introduction 

Stream ciphers are of paramount importance in fast cryptographic applications 
such as encryption of streaming data where information is generated at a high 

* This work was supported in part by the Concerted Research Action (GOA) Am- 
biorix 2005/11 of the Flemish Government and in part by the European Commission 
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speed. Unfortunately, the state-of-the art of this type of ciphers, to euphemize, 
is not very promising as reflected in the failure of the NESSIE project to select a 
single cipher for its profile [13] and also the attacks on a number of submissions for 
the ongoing ECRYPT project [6]. Because of plenty of common features as well 
as dissimilarities, it is almost impossible to classify the entire gamut of stream ci- 
phers into small, well-defined, disjoint groups, so that one group of ciphers can be 
analyzed in isolation of the others. However, in view of the identical data struc- 
tures and similar operations in a number of stream ciphers and the fact that they 
are vulnerable against certain kinds of attacks originating from some basic flaws 
inherent in the design, it makes sense to scrutinize the class of ciphers in a unified 
way. As the title suggests, the paper takes a closer look at stream ciphers connected 
by a common feature that each of them uses (i) one or more arrays 1 as the main 
part of the internal state and (ii) the operation modular addition in the pseudo- 
random bit generation algorithm. Apart from addition over different groups (e.g, 
GF(2") and GF(2)), the stream ciphers under consideration only admit of sim- 
ple operations such as memory access (direct and indirect) and cyclic rotation of 
bits, which are typical of any fast stream cipher. In the present discussion we omit 
the relatively rare class of stream ciphers which may nominally use array and ad- 
dition , but their security depends significantly on special functions such as those 
based on algebraic hard problems, Rijndael S-box etc. 

To the best of our knowledge, the RC4 stream cipher, designed by Ron Rivest in 
1987, is the first stream cipher which exploits the features of an array in generating 
pseudorandom bits, using a few simple operations. Since then a large number of 
array-based ciphers or PRBG’s - namely, RC4A [14], VMPC stream cipher [20], 
IA, IBAA, ISAAC [10], Py [2], Py6 [4], Pypy [3], HC-256 [18], NGG [12], GGHN [8] 
- have been proposed that are inspired by the RC4 design principles. The Scream 
family of ciphers [9] also uses arrays and modular additions in their round func- 
tions, however, the security of them hinges on a tailor-made function derived from 
Rijndael S-box rather than mixing of additions over different groups (e.g., GF(2”) 
and GF(2)) and cyclic rotation of bits; therefore, this family of ciphers is excluded 
from the class of ciphers to be discussed in the paper. 

First, in Table 1, we briefly review the pros and cons of the RC4 stream 
cipher which is the predecessor of all the ciphers to be analyzed later. Unfor- 
tunately, the RC4 cipher is compatible with the old fashioned 8-bit processors 
only. Except RC4A and the VMPC cipher (which are designed to work on 8- 
bit processors), all the other ciphers described before are suitable for modern 
16/32-bit architectures. Moreover, those 16/32-bit ciphers have been designed 
with an ambition of incorporating all the positive aspects of RC4, while ruling 
out it’s negative properties as listed in Table 1. However, the paper observes that 
a certain amount of caution is necessary to adapt RC4-like ciphers to 16/32-bit 
architecture. Here, we mount distinguishing attacks on the ciphers (or PRBG’s) 
Py6, IA, ISAAC, NGG, GGHN - all of them are designed to suit 16/32-bit pro- 
cessors - with data 2 68 - 61 , 2 32 - 89 , 2 1689 , 2 32 - 89 and 2 32 - 89 respectively, exploiting 


1 An array is a data structure containing a set of elements associated with unique 
indices. 
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Table 1. Pros and cons of the RC4 cipher 


Advantages of RC4 

Disadvantages of RC4 

Arrays allow for huge secret internal state 

Not suitable for 16/32-bit architecture 

Fast because of fewer operations per round 

Several distinguishing attacks 

Simple Design 

Weak Key-setup algorithm 

No key recovery attacks better than brute force 



similar weaknesses in their designs (note that another 32-bit array-based cipher 
Py has already been attacked in a similar fashion [5,15]). Summarily the attacks 
on the class of ciphers described in this paper originate from the following basic 
although not independent facts. However, note that our attacks are based on the 
assumptions that the key-setup algorithms of the ciphers are ‘perfect’, that is, 
after the execution of the algorithms they produce uniformly distributed internal 
states (more on that in Sect. 1.2). 

— Array-elements are large (usually of size 16/32 bits), but the array-indices 
are short (generally of size 8 bits). 

— Only a few elements of the arrays undergo changes in consecutive rounds. 

— Usage of both pseudorandom index-pointers and pseudorandom array- 
elements in a round, which apparently seems to provide stronger security 
than the ciphers with fixed pointers, may leave room for attacks arising 
from the correlation between the index-pointers and the corresponding array- 
elements (see discussion in Sect. 2.2). 

— Usage of simple operations like addition over GF(2”) and GF(2) in output 
generation. 

Essentially our attacks based on the above facts have it origins in the fortuitous 
states attack on RC4 by Fluhrer and McGrew [7] . 

A general framework to attack array-based stream ciphers with the above 
characteristics is discussed in Sect. 2. Subsequently in Sect. 3.1, 3.2 and 3.3, as 
concrete proofs of our argument, we show distinguishing attacks on five stream 
ciphers (or PRBG’s). The purpose of the paper is, by no means, to claim that the 
array-based ciphers are intrinsically insecure, and therefore, should be rejected 
without analyzing its merits; rather, we stress that when such a PRBG turns 
out to be extremely fast - such as Py, Py6, IA, ISAAC, NGG, GGHN - an alert 
message should better be issued for the designers to recheck that they are free 
from the weaknesses described here. In Sect. 3.5, we comment on the security of 
three other array-based ciphers (or PRBG’s) IBAA, Pypy and HC-256 which, 
for the moment, do not come under attacks, however they are slower than the 
ones attacked in this paper. 

1.1 Notation and Convention 

— The symbols ®, +, — , <gC, A^>, 3>, -C are used as per convention. 

— The ith bit of the variable X is denoted (the Isb is the Oth bit). 
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— The segment of m — n + 1 bits between the mth and the nth bits of the 
variable X is denoted by X( mt „y 

— The abbreviation for Pseudorandom Bit Generator is PRBG. 

— P[A] denotes the probability of occurrence of the event A. 

— E c denotes the compliment of the event E. 

— At any round t, some part of the internal state is updated before the output 
generation and the rest is updated after that. Example: in Algorithm 3, the 
variables a and m are updated before the output generation in line 5. The 
variables i and b are updated after or at the same time with the output 
generation. Our convention is: a variable S is denoted by S t at the time of 
output generation of round t. As each of the variables is modified in a single 
line of the corresponding algorithm, after the modification its subscript is 
incremented. 

1.2 Assumption 

In this paper we concentrate solely on the mixing of bits by the keystream gener- 
ation algorithms (i.e., PRGB) of several array-based stream ciphers and assume 
that the corresponding key-setup algorithms are perfect. A perfect key-setup 
algorithm produces internal state that leaks no statistical information to the at- 
tacker. In other words, because of the difficulty of deducing any relations between 
the inputs and outputs of the key-setup algorithm, the internal state produced 
by the key-setup algorithm is assumed to follow the uniform distribution. 

2 Stream Ciphers Based on Arrays and Modular 
Addition 

2.1 Basic Working Principles 

The basic working principle of the PRBG of a stream cipher, based on one or 
multiple arrays, is shown in Fig. 1. For simplicity, we take snapshots of the 
internal state, composed of only two arrays, at two close rounds denoted by 
round t and round t' = t + 5. However, our analysis is still valid with more 
arrays and rounds than just two. Now we delineate the rudiments of the PRBG 
of such ciphers. 

— Components: The internal state of the cipher comprises all or part of the 
following components. 

1. One or more arrays of n-bit elements ( X\ and X 2 in Fig. 1). 

2. One or more variables for indexing into the arrays, i.e., the index-pointers 
(down arrows in Fig. 1). 

3. One or more random variables usually of n-bit length (mi, m 2 , m\ , m 2 
in Fig. 1). 

— Modification to the Internal State at a round 

1. Index Pointers: The most notable feature of such ciphers is that it has 
two sets of index pointers, (i) Some of them are fixed or updated in a 
known way , i.e., independent of the secret part of the state (solid arrows 
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Fig. 1. Internal State at (a) round t and (b) round t' = t + 5 


in Fig. 1) and (ii) the other set of pointers are updated pseudorandomly, 

i.e., based on one or more secret components of the internal state (dotted 
arrows in Fig. 1). 

2. Arrays: A few elements of the arrays are updated pseudorandomly based 
on one or more components of the internal state (the shaded cells of 
the arrays in Fig. 1). Note that, in two successive rounds, only a small 
number of array-elements (e.g. one or two in each array) are updated. 
Therefore, most of the array-elements remain identical in consecutive 
rounds. 

3. Other variables if any: They are updated using several components of 
the internal state. 

— Output generation: The output generation function at a round is a non- 
linear combination of different components described above. 

2.2 Weaknesses and General Attack Scenario 

Before assessing the security of array-based ciphers in general, for easy under- 
standing, we first deal with a simple toy-cipher with certain properties which 
induce distinguishing attack on it. Output at round t is denoted by Z t . 

Remark 1. The basis for the attacks described throughout the paper including 
the one in the following example is searching for internal states for which the 
outputs can be predicted with bias. This strategy is inspired by the fortuitous 
states attacks by Fluhrer and McGrew on the RC4 stream cipher [7] . 

Example 1. Let the size of the internal state of a stream cipher with the follow- 
ing properties be k bits. 

Property 1. The outputs Z tl , Z t2 are as follows. 

4 = i©y + (d<«B), (i) 

Z t2 =M + N®(C^:D) (2) 


where X, Y , A, B, M, N, C, D are uniformly distributed and independent. 
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Property 2. [Bias-inducing State] If certain k! bits (0 < k' < k) of the internal 
state are set to all 0’s (denote the occurrence of such state by event E) at round 
ti, then the following equations hold good. 

X = M, Y = N, B = D = 0, A= C. 

Therefore, (1) and (2) become 

Z tl =X®Y + A, Z t2 = X + Y ® A. 

Now, it follows directly form the above equations that, for a fraction of 2~ k of 
all internal states , 


P[Z (o) = (Z tl ®Z t2 \o)=0\E\ = l. (3) 

Property 3. If the internal state is chosen randomly from the rest of the states, 
then 

P[Z (0) = 0\E C ] = | (4) 

Combining (3) and (4) we get the overall bias for Z (0), 

= |(i + (5) 

Note that, if the cipher were a secure PRBG then P[Z( 0 ) = 0] = 0 

Discussion. Now we argue that an array-based cipher has all the three proper- 
ties of the above example; therefore, the style of attack presented in the example 
can possibly be applied to an array-based cipher too. First, we discuss the op- 
erations involved in the output generation of the PRBG. Let the internal state 
consist of N arrays and M other variables. At round t, the arrays are denoted by 
5i.([-], S^i [•] , • • • , and the variables by mi,t, m 2 ,t, • • • , tom,*- We observe 

that the output Z t is of the following form, 

Z t = ROT[- • • ROT[ROT[ROT[y M ] © ROT[V 2 ,t]] 

©ROT[y 3 ,t]] © • • • © ROT[Vfc )t ]] (6) 

where V^t = m g )t or ROT[-] is the cyclic rotation function either constant 

or variable depending on the secret state; the function ©[•,•] is either bit-wise 
XOR or addition modulo 2 n . 

Now we describe a general technique to establish a distinguishing attack on an 
array-based cipher from the above information. We recall that, at the first round 
(round t\ in the present context), the internal state is assumed to be uniformly 
distributed (see Sect. 1.2). 
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Step 1. [Analogy with Property 1 of Example 1 ] Observe the elements of the in- 
ternal state which are involved in the outputs Z tl , Z t2 , • • • (i.e., the V),*’ s in (6)) 
when the rounds in question are close (t\ < t-z < • • • ). 

Step 2. [Bias-inducing state, Analogy with Property 2 of Example 1] Fix a 
few bits of some array elements (or fix a relation among them) at the initial 
round t\ such that indices of array-elements in later rounds can be predicted 
with probability 1 or close to it. More specifically, we search for a partially spec- 
ified internal state such that one or both of the following cases occur due to 
predictable index-pointers. 

1. The Vj.f’s involved in Z tl , Z t2 , ■ • • are those array-elements whose bits are 
already fixed. 

2. Each Vi, t is dependent on one or more other variables in Z tl , Z t2 , ■ ■ ■ . 

Now, for this case, we compute the bias in the output bits. Below we identify the 
reasons why an array-based cipher can potentially fall into the above scenarios. 

Reason 1. Usually, an array-based cipher uses a number of pseudorandom 
index-pointers which are updated by the elements of the array. This fact turns 
out to be a weakness, as fixed values (or a relation) can be assigned to the 
array-elements such that the index-pointers fetch values from known locations. 
In other words, the weakness results from the correlation between index-pointers 
and array-elements which are, although, uniformly distributed individually but 
not independent of each other. 

Reason 2. Barring a few, most of the array-elements do not change in rounds 
which are close to each other. Therefore, by fixing bits, it is sometimes easy to 
force the pseudorandom index-pointers fetch certain elements from the arrays in 
successive rounds. 

Reason 3. The size of an index-pointer is small, usually 8 bits irrespective 
of the size of an array-element which is either 16 bits or 32 bits or 64 bits. 
Therefore, fixing a small number of bits of the array-elements, it is possible to 
assign appropriate values to the index-pointers. The less the number of fixed 
bits, the greater is the bias (note the parameter k! in (5)). 

Reason 4. If the rotation operations in the output function are determined 
by pseudorandom array elements (see (6)) then fixing a few bits of internal 
state can simplify the function by freeing it from rotation operations. In many 
cases rotation operations are not present in the function. In any case the output 
function takes the following form. 

Z t = Vl ,t ® V2 ,t ® Vs,t ® ■ ■ ■ ® V k , t . 

Irrespective of whether ‘®’ denotes ‘®’ or ‘+’, the following equation holds for 
the Isb of Z t . 


Z t( 0) — V lm ® V2,t( 0 ) ® ^34(0) ® ' " ® ^M(O)- 
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Now by adjusting the index-pointers through fixing bits, if certain equalities 

among the Vi/s are ensured then 0 -Zt(o) = 0 occurs with probability 1 rather 
than probability 1/2. 

Step 3. [Analogy with Property 3 of Example 1 ] Prove or provide strong evi- 
dence that, for the rest of the states other than the bias-inducing state, the bias 
generated in the previous step is not counterbalanced. 

Reason. The internal state of such cipher is huge and uniformly distributed 
at the initial round. The correlation, detected among the indices and array- 
elements in Step 2, is fortuitous although not entirely surprising because the 
variables are not independent. Therefore, the possibility that a bias, produced 
by an accidental state, is totally counterbalanced by another accidental state 
is negligible. In other words, if the bias-inducing state, as explained in Step 2, 
does not occur, it is likely that at least one of the Vi/s in (6) is uniformly dis- 
tributed and independent; this fact ensures that the outputs are also uniformly 
distributed and independent. 

Step 4. [Analogy with (5) of Example 1] Estimate the overall bias from the 
results in Step 2 and 3. □ 

In the next section, we attack several array-based ciphers following the methods 
described in this section. 

3 Distinguishing Attacks on Array-Based Ciphers or 
PRBG’s 

This section describes distinguishing attacks on the ciphers (or PRBG’s) Py6, 
IA, ISAAC, NGG and GGHN - each of which is based on arrays and modular 
addition. Due to space constraints, full description of the ciphers is omitted; the 
reader is kindly referred to the corresponding design papers for details. For each 
of the ciphers, our task is essentially two-forked as summed up below. 

1. Identification of a Bias-inducing State. This state is denoted by the 
event E which adjusts the index-pointers in such a way that the Isb’s of the 
outputs are biased. The Isb’s of the outputs are potentially vulnerable as 
they are generated without any carry bits which are nonlinear combinations 
of input bits (see Step 2 of the general technique described in Sect. 2.2). 

2. Computation of the Probability of Overall Bias. The probability is 
calculated considering both E and E c . As suggested in Step 3 of Sect. 2.2, 
for each cipher, the Isb’s of the outputs are uniformly distributed if the event 
E does not occur under the assumption mentioned in Sect. 1.2. 


Note. For each of the five ciphers attacked in the subsequent sections, it can be 
shown that, if E (i.e., the bias-inducing state) does not occur then the variable 
under investigation is uniformly distributed under the assumption of uniformly 
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distributed internal state after the key-setup algorithm. We omit those proofs 
due to space constraints. 

3.1 Bias in the Outputs of Py6 

The stream cipher Py6, designed especially for fast software applications by Bi- 
ham and Seberry in 2005, is one of the modern ciphers that are based on arrays 
[2, 4]. 2 Although the cipher Py, a variant of Py6, was successfully attacked [15,5], 
Py6 has so far remained alive. The PRBG of Py6 is described in Algorithm 1 
(see [2,4] for a detailed discussion). 


Algorithm 1. Single Round of Py6 
Input: Y[— 3, ..., 64], P[(), ..., 63], a 32-bit variable s 
Output: 64-bit random output 
/*Update and rotate P* / 

1: swap (P[0], P[Y[43]&63]); 

2: rotate (P); 

/* Update s*/ 

3: s+ = T[P[18]] -T[P[57]]; 

4: s = ROTL32(s, ((P[26] + 18)&31)); 

/* Output 8 bytes (least significant byte first)*/ 
5: output ((ROTL32(s, 25) ® Y[64]) + Y[P[8]]); 

6: output (( s ®Y[-1]) + Y[P[21]]); 

/* Update and rotate Y* / 

7: Y[— 3] = (ROTL32(s, 14) ® Y[-3}) + Y[P [48]]; 

8: rotate(Y); 


Bias-producing State of Py6. Below we identify six conditions among the 
elements of the S-box P, for which the distribution of © Y2.3 is biased {Z\ tt 
and denote the lower and upper 32 bits of output respectively, at round t). 

Cl. P 2 [26] = — 18(mod32); C2. P 3 [26] = 7(mod32); C3. P 2 [18] = P 3 [57] + 1; 
C4. P 2 [57] = P 3 [18] + 1; C5. Pi [8] = 1; C6. P 3 [21] = 62. 

Let the event E denote the simultaneous occurrence of the above conditions 
(P[P] w 2 -33 ' 86 ). It can be shown that, if E occurs then Z( 0) = 0 where Z 
denotes Z\$ © Z 2j3 (see the full version of the paper [16]). Now we calculate the 
probability of occurrence of z ( o)- 

P[Z( o) = 0] = P[Z (0) = 0|P] • P[E] + P[Z (0) = 0|P C ] • P[E C ] 

= i • 2— 33 86 + 1 - (1 — 2 -33 - 86 ) 

= \ ■ (1 + 2 -33 ' 86 ) . (7) 


The cipher has been submitted to the ECRYPT Project [6]. 
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Note that, if Py6 had been an ideal PRBG then the above probability would 
have been exactly 

Remark 2. The above bias can be generalized for rounds t and t + 2 (t > 0) 
rather than only rounds 1 and 3. 

Remark 3. The main difference between Py and Py6 is that the locations of 
S-box elements used by one cipher is different from those by the other. The 
significance of the above results is that it shows that changing the locations 
of array-elements is futile if the cipher retains some intrinsic weaknesses as ex- 
plained in Sect. 2.2. Note that Py was attacked with 2 84 7 data while Py6 is with 
268.61 (explained in Sect. 3.4). 


3.2 Biased Outputs in IA and ISAAC 

At FSE 1996, R. Jenkins Jr. proposed two fast PRBG’s, namely IA and ISAAC, 
along the lines of the RC4 stream cipher [10] . The round functions of IA and 
ISAAC are shown in Algorithm 2 and Algorithm 3. Each of them uses an array 
of 256 elements. The size of an array-element is 16 bits for IA and 32 bits for 
ISAAC. However, IA and ISAAC can be adapted to work with array-elements 
of larger size too. For IA, this is the first time that an attack is proposed. For 
ISAAC, the earlier attack was by Pudovkina who claimed to have deduced its 
internal state with time 4 • 67 • 10 124 ° which was way more than the exhaustive 
search through the keys of usual size of 256-bit or 128-bit [17]. On the other 
hand, we shall see later in Sect. 3.4 that our distinguishing attacks can be built 
with much lower time complexities. The Z t denotes the output at round t. 


Algorithm 2. PRBG of IA 
Input: m[0, 1, ...255], 16-bit random variable b 
Output: 16-bit random output 
1: * = 0; 

2: x = m[i\- 7 

3: m[i] = y = m[ind(x)] + b mod 2 16 ; /* ind(x) = x^ t0 ) */ 
4: Output= b = m[ind(y S> 8)] + x mod 2 16 ; 

5: i = i + 1 mod 256; 

6: Go to step 2; 


Bias-inducing State of IA. Let m,t[it + 1 mod 256] = a. If the following 
condition 


ind((a + Z t ) » 8) = ind(a) = i t +i 


(8) 


is satisfied then 


^(o)(— o) © ^t-i-i(o)) — 0 



On the (In) security of Stream Ciphers 


79 


A pictorial description of the state is provided in the full version of the paper 
[16]. Let event E occur when (8) holds good. Note that P[E\ = 2~ 16 assuming 
a and Z t are independent and uniformly distributed. Therefore, 

P[Z( o) = 0] = P[Z ( o) = 0|£] • P[E] + P\Z { o) = 0| E c ] ■ P[E C ] 

= 1 • 2 -16 + .1 • (1 — ; 2 -16 ) 

= \ ■ (1 + 2- 16 ) • (9) 


Algorithm 3. PRBG of ISAAC 

Input: m[0, 1, ...255], two 32-bit random variables a and b 
Output: 32-bit random output 
1: * = 0; 

2: x - m[t]; 

3: a = a ® (o -C R) + m[i + K mod 256] mod 2 32 ; 

4: m[i + 1] = y = m[ind(x)\ +a + b mod 2 32 ; /* ind(x) = £(9,2) */ 
5: Output= b = m[ind(y » 8)] + x mod 2 32 ; 

6: i = i + 1 mod 256; 

7: Go to Step 2. 


Bias-inducing State of ISAAC. For easy understanding, we rewrite the 
PRBG of the ISAAC in a simplified manner in Algorithm 3. The variables R 
and K, described in step 3 of Algorithm 3, depend on the parameter i (see [10] 
for details); however, we show that our attack can be built independent of those 
variables. 

Let m t -i[it] = x. Let event E occur when the following equation is satisfied. 

ind((m t -i[ind(x)] + a t + b t - 1 ) » 8) = i t ■ (10) 

If E occurs then Z t = x + x mod 2 32 , i.e., Z t ( 0j = 0 (see the full version of the 
paper [16]). As a t , b t ~ 1 and x are independent and each of them is uniformly 
distributed over Z 2 32, the following equation captures the bias in the output. 

P[z m = 0] = P[Z m = 0|£] • P[E] + P[z m = 0| E c ] ■ P[E C ] 

= 1 . 2 - 8 + 1. (1 — 2 - 8 ) 

= ^-(l + 2- 8 ). (11) 

3.3 Biases in the Outputs of NGG and GGHN 

Gong et al. very recently have proposed two array-based ciphers NGG and GGHN 
with 32/64-bit word-length [12,8] for very fast software applications. The PRBG’s 
of the ciphers are described in Algorithm 4 and Algorithm 5. Both the ciphers are 
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claimed to be more than three times as fast as RC4. Due to the introduction of an 
extra 32-bit random variable k, the GGHN is evidently a stronger version of NGG. 
We propose attacks on both the ciphers based on the general technique described 
in Sect. 2.2. Note that the NGG cipher was already experimentally attacked by Wu 
without theoretical quantification of the attack parameters such as bias, required 
outputs [19]. For NGG, our attack is new, theoretically justifiable and most impor- 
tantly, conforms to the basic weaknesses of an array-based cipher, as explained in 
Sect. 2.2. For GGHN, our attack is the first attack on the cipher. In the following 
discussion, the Z t denotes the output at round t. 


Algorithm 4. Pseudorandom Bit Generation of NGG 
Input: S[0, 1, ...255] 

Output: 32-bit random output 
1: i = 0,j = 0; 

2: i = i + 1 mod 256; 

3 : j = j + S[i] mod 256; 

4: Swap (£[*], £[?]); 

5: Output= S[S[i\ + S[j] mod 256]; 

6 : S[S[i] + £[?'] mod 256] = S[i] + S[j] mod 2 32 
7: Go to step 2 ; 


Bias-inducing State of NGG. Let the event E occur, if i t = j t and S t + 1 [*t+i] + 
‘S’i+ib't+i] = 2 • 5t[i(] mod 256. We observe that, if E occurs then Z t+ 1 ( 0 ) = 0 
(see the full version of the paper [16]). Now we compute P[Z t+ 1 ( 0 ) = 0] where 
P[E\ m 2 IB . 


P[Z t+m = 0] = P[Z t+ i(o) = 0|£] • P[E] + P[Z t+ i(o) = 0] E c ] ■ P[E C ] 

= 1 • 2 -16 + ^ • (1 — 2 -16 ) 

= i-(l + 2- 16 ). (12) 


Algorithm 5. Pseudorandom Bit Generation of GGHN 
Input: S[0 % 1, ...255], k 
Output: 16-bit random output 
1: i = 0, j = 0; 

2: i = i + 1 mod 256; 

3: j = j + 'S[*] mod 256; 

4: k = k + £[ 7 ] mod 2 32 ; 

5: Output= £[£[*] + S\j] mod 256] + k mod 2 32 ; 

6 : S[S[i] + £[j] mod 256] = k + £[i] mod 2 32 ; 

7: Go to step 2 ; 


Bias-producing State of GGHN. If S t [it] = S t +i[jt+i] and S t [jt] = S t+i [q+i] 
(denote it by event E) then Z t+1 ( 0 ) = 0 (see the full version of the paper [16]). 
Now we compute P[Z t+1 ^ = 0] where P[E] = 2 -16 . 
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P[Z t+ m = 0] = P[Z t+ 1 ( 0 ) = 0|£] • P[E] + P[Z t+ 1 ( 0 ) = 0| E c ] • P[E C } 

= 1 - 2“ 16 + I - (1 — 2“ 16 ) 

= i.(l + 2- 16 ). (13) 

3.4 Data and Time of the Distinguishing Attacks 

In the section we compute the data and time complexities of the distinguishes 
derived from the biases computed in the previous sections. A distinguisher is an 
algorithm which distinguishes a stream of bits from a perfectly random stream 
of bits, that is, a stream of bits that has been chosen according to the uniform 
distribution. The advantage of a distinguisher is the measure of its success rate 
(see [ 1 ] for a detailed discussion). 

Let there be n binary random variables z\, z%, • • • , z n which are independent 
of each other and each of them follows the distribution Dbias- Let the uniform 
distribution on alphabet Z -2 be denoted by Duni- Method to construct an optimal 
distinguisher with a fixed number of samples is given in [l ]. 3 While the detailed 
description of an optimal distinguisher is omitted, the following theorem deter- 
mines the number of samples required by an optimal distinguisher to attain an 
advantage of 0.5 which is considered a reasonable goal. 

Theorem 1. Let the input to an optimal distinguisher be a realization of the 
binary random variables zi, Z 2 , 23 , • • • ,z n where each Zi follows Dbias ■ To attain 
an advantage of more than 0.5, the least number of samples required by the 
optimal distinguisher is given by the following formula 

n = 0.4624 • M 2 where 

p D BIAS [zi = 0 ] - Po vm [zi = °] = ■ 

Proof. See Sect. 5 of [15] for the proof. 

Now Duni is known and Dbias can be determined from (7) for Py 6 , (9) for IA, 
(11) for ISAAC, (12) for NGG, (13) for GGHN. In Table 2, we list the data 
and time complexities of the distinguishers. Our experiments agree well with the 
theoretical results. The constant in 0(m) is determined by the time taken by 
single round of the corresponding cipher. 

3.5 A Note on IBAA, Pypy and HC-256 

IBAA, Pypy and HC-256 are the array-oriented ciphers/PRBG’s which are still 
free from any attacks. The IBAA works in a similar way as the ISAAC works, 

3 Given a fixed number of samples, an optimal distinguisher attains the maximum 
advantage. 
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Table 2. Data and time of the distinguishes with advantage exceeding 0.5 


|PRBG | M |Bytes of a single stream = 0.4624 ■ M ' z | Time | 


Py6 

2^4.86 

2 b».bi 

0(2°“-) 

IA 

2 J ‘ 

2-- 

0(2- oa ) 

ISAAC 

2 a 

2 ib.8M 

0(2--) 

NGG 

2 1Y 

2-- 

0(2--) 

GGHN 

2 1V 

2-- 

0(2--) 


except for the variable a which plays an important role in the output generation 
of IB AA [10] . It seems that a relation has to be discovered among the values 
of the parameter a at different rounds to successfully attack IBAA. Pypy is a 
slower variant of Py and Py6 [3]. Pypy produces 32 bits per round when each 
of Py and Py6 produces 64 bits. To attack Pypy a relation need to be found 
among the elements which are separated by at least three rounds. To attack 
HC-256 [18], some correlations need to be known among the elements which are 
cyclically rotated by constant number of bits. 

4 Conclusion 

In this paper, we have studied array-based stream ciphers or PRBG’s in a general 
framework to assess their resistance against certain distinguishing attacks origi- 
nating from the correlation between index-pointers and array-elements. We show 
that the weakness becomes more profound because of the usage of simple modu- 
lar additions in the output generation function. In the unified framework we have 
attacked five modern array-based stream ciphers (or PRBG’s) Py6, IA, ISAAC, 
NGG, GGHN with data complexities 2 68 61 , 2 32 - 89 , 2 16 89 , 2 32 - 89 and 2 32 - 89 respec- 
tively. We also note that some other array-based stream ciphers (or PRBG’s) IBAA, 
Pypy, HC-256 still do not come under any threats, however, the algorithms need to 
be analyzed more carefully in order to be considered secure. We believe that our in- 
vestigation will throw light on the security of array-based stream ciphers in general 
and can possibly be extended to analyze other types of ciphers too. 
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Abstract. In this paper, we study the construction of (2 1 + Invariable 
Boolean functions with maximum algebraic immunity, and we also ana- 
lyze some other cryptographic properties of this kind of functions, such 
as nonlinearity, resilience. We first identify several classes of this kind of 
functions. Further, some necessary conditions of this kind of functions 
which also have higher nonlinearity are obtained. In this way, a modi- 
fied construction method is proposed to possibly obtain (2 1 + Invariable 
Boolean functions which have maximum algebraic immunity and higher 
nonlinearity, and a class of such functions is also obtained. Finally, we 
present a sufficient and necessary condition of (2 1 + Invariable Boolean 
functions with maximum algebraic immunity which are also 1-resilient. 

Keywords: Algebraic attack, algebraic immunity, Boolean functions, 
balancedness, nonlinearity, resilience. 


1 Introduction 

The recent progress in research related to algebraic attacks [1,2, 5, 6] seems to 
threaten all LFSR-based stream ciphers. It is known that Boolean functions used 
in stream ciphers should have high algebraic degree [11]. However, a Boolean 
function may have low degree multiples even if its algebraic degree is high. By 
this fact it is possible to obtain an over-defined system of multivariate equations 
of low degree whose unknowns are the bits of the initialization of the LFSR(s). 
Then the secret key can be discovered by solving the system. 

To measure the resistance to algebraic attacks, a new cryptographic property 
of Boolean functions called algebraic immunity (AI) has been proposed by W. 
Meier et al. [16]. When used in a cryptosystem, a Boolean function should have 
high AI. Now, it is known that the AI of an n - variable Boolean function is upper 
bounded by |~§] [6,16]. Balancedness, nonlinearity and correlation-immunity are 
three other important cryptographic criteria. In some sense, algebraic immunity 
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is compatible with the former two criteria: a Boolean functions with low nonlin- 
earity will have low AI [7,14], a Boolean function of an odd number of variables 
with maximum AI must be balanced [7] . The existence of links between algebraic 
immunity and correlation-immunity remains open. 

Constructions of Boolean functions with maximum AI are obviously impor- 
tant. Further, it is more important to construct these functions which also satisfy 
some other criteria (such as balancedness, a high nonlinearity, a high correlation- 
immunity order, . . .). Some classes of symmetric Boolean functions with max- 
imum AI were obtained in [3] and [9], and it was shown in [12] that there is 
only one such symmetric function (besides its complement) when the number 
of input variables is odd. A construction keeping in mind the basic theory of 
algebraic immunity was presented in [9], which also provided some functions 
with maximum AI. In [4], Carlet introduced a general method (for any number 
of variables) and an algorithm (for an even number of variables) for construct- 
ing balanced functions with maximum AI. In [13], a method was proposed for 
constructing functions of an odd number of variables with maximum AI, which 
convert the problem of constructing such a function to the problem of finding an 
invertible submatrix of a 2” _1 x 2 n_1 matrix. And it was stated that any such 
function can be obtained by this method. 

In this paper, we study the construction of (2t+ Invariable Boolean functions 
with maximum AI, and we also analyze some other cryptographic properties of 
this kind of functions. From the characteristic of the matrix used in the con- 
struction proposed in [13], we obtain some necessary or sufficient conditions of 
(2 1 + Invariable Boolean functions with maximum AI. Further, by studying the 
Walsh spectra of this kind of functions, we obtain some necessary conditions of 
this kind of functions which also have higher nonlinearity and thus we propose 
a modified construction to obtain such functions. We finally present a sufficient 
and necessary condition of (2 1 + Invariable Boolean functions with maximum 
AI which are also 1-resilient. 

2 Preliminaries 

Let F£ be the set of all n-tuples of elements in the finite field F2. To avoid 
confusion with the usual sum, we denote the sum over F 2 by ®. 

A Boolean function of n variables is a function from F£ into F 2 . Any n- 
variable Boolean function / can be uniquely expressed by a polynomial in 
F 2 [xi, . . . ,x n ]/{x\ — xi, . . . ,x\ — x n ), which is called its algebraic normal form 
(ANF). The algebraic degree of /, denoted by deg(/), is the degree of this poly- 
nomial. Boolean function / can also be identified by a binary string of length 
2 n , called its truth table, which is defined as 

(/(o,o, ... ,0), /(1,0, 0), /(0, 1, . . . ,0), . . . , /(l, 1, . . . , 1)). 


Let 


if = {XG F2I/P0 = l}, 0/ = {x e F5I f(X) = 0}. 
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The set 1/ (resp. 0/) is called the on set (resp. oft set). The cardinality of 1/, 
denoted by wt(f), is called the Hamming wight of /. We say that an n - variable 
Boolean function / is balanced if wt(f ) = 2 n_1 . The Hamming distance between 
two functions / and g, denoted by d(f, g), is the Hamming weight of / ® g. Let 
S = (si, S 2 , ...,%) e F£, the Hamming weight of S, denoted by wt(S), is the 
number of l’s in {si, s 2 , • • • , s ra }- 

Walsh spectra is an important tool for studying Boolean functions. Let X = 

(cc .1 , x n ) and S = (si, . . . , s n ) both belonging to F£ and their inner product 

X ■ S = xisi © . . . © x n s n . Let / be a Boolean function of n variables. Then the 
Walsh transform of / is an integer valued function over F£ which is defined as 

W f (S)= J2 

X6F" 

Affine functions are those Boolean functions of degree at most 1. The nonlinearity 
of an n - variable Boolean function / is its Hamming distance from the set of all 
n - variable affine functions, i.e., 

nl(f) = min{d(/, g)\g is an affine function}. 

The nonlinearity of / can be described by its Walsh spectra as nl(f) = 2 n ~ 1 — 
}maxj'c f«. | Wf (S') | . Correlation immune functions and resilient functions are two 
important classes of Boolean functions. A function is mth order correlation im- 
mune (resp. m-resilient) if and only if its Walsh spectra satisfies 

W/(S) = 0, for 1 < wt(S) < to (resp. 0 < wt(S) < to). 

Definition 1. [16] For a given n-variable Boolean function f, a nonzero n- 
variable Boolean function g is called an annihilator of f if f ■ g = 0, and the 
algebraic immunity of f, denoted by AI(f), is the minimum value of d such that 
f or f © 1 admits an annihilating function of degree d. 

For convenience, two orderings on vectors and monomials are defined as follows. 

Definition 2. A vector ordering < v on ¥] is defined as: 

let (ai , a n ), (6i, . . . , b n ) £ Fjj, then (oi, . . . , a n ) < v (fei, . . . , b n ) if and only if 

YfJi Li a-i < Yli= i &L or i a i = Y^i=i k and there exists 1 < i < n such that 
ai > bi, aj = bj for 1 < j <i- 

Example 1. If n = 3, then (0,0,0) <„ (1,0,0) <„ (0,1,0) <„ (0,0,1) <„ 
(1,1,0) < v (1,0,1) < v (0,1,1) < v (1,1,1). 

Definition 3. A monomial ordering < m on F 2 [xi, . . . ,x n \/(x\— x\, . . . ,x^— x n ) 
is defined as: 

let a:® 1 . . . xf l n ,x b 1 1 . . . x* n eF 2 [a:i ,. . .,x n ]/(x xi,. . .,x% — x n ), then x® 1 . . . a:“ n < m 
x bl . . . if and only if (hi, . . . , a n ) < v (bi, , b„). 

It is clear that < v and < m are both total orderings. 
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Let A be an lx l matrix, and integers 1 < h,i% ■ ■ ■ ,% l*,l < ji,ji ■ ■ ■ , jk < l- 
Denoted by the k x l matrix with the rth (1 < r < k) row vector equal 

to the * r th row vector of A, and the k x k matrix with the rth 

(1 < r < k) column vector equal to the j r tli column vector of A^ n _ tk y 


3 Construction of Boolean Functions with Maximum AI 


In this section, we briefly review the method to construct Boolean functions with 
maximum AI proposed in [13]. 

Let n be a positive integer, X = (aq, . . . , x n ) g ¥!]. Let 


v(X) =(l,2i, . . . ,X n ,XiX2, ■ ■ ■ ,X n -iX n , 


' ,x [% J + 2 


• *n) e Ff 




where the monomials are ordered according to the ordering < m . It is clear that 
Xw=(j 1 (") = 2 n_1 when n is odd. Let / be an n-variable Boolean function, 
let V(lf) denote the wt(f) x X^[=o 1 (1) matrix with the set of row vectors 

{n(X)|A‘ g 1/}, and V(0/) denote the (2" — wt(f)) x 1 (") matrix with 

the set of row vectors {v(X)\X g 0/}. 


Lemma 1. [3,9] Let odd n = 2t + 1 and f be an n-variable Boolean function 
which satisfies 


where 


/P0 = { ( , 

g F 2 , then AI(f) = t 1 . 


a 

© 1 


for wt{X) < t 
for wt{X) > t ’ 


When o=l, the function described in Lemma 1 is called the majority function, 
and we denote it by F n . It is clear that F n is balanced. We arrange the vectors 
in lp n (resp. 0 p„) according to the order <„, and denote them by A-| , . . . , W 2 n-i 
(resp. Yi,...,y 2 „-i), i.e. X 1 < v . . . < v X 2 „-i (resp. Y t < v . . . < v y 2 „_ 1 ). Let 
Xj = (xj t 1 , . . . ,Xj tn ) (resp. Lj = (j/^i, . . . ,j/»,n))- The ith row vector of V’(lp’ n ) 
(resp. F(0 f„)) is v(Xi) (resp. v(Yi)). 

The idea of the construction proposed in [13] is to obtain a new function 
by changing the values of the majority function at some vectors. The problem 
of finding out the appropriate vectors is converted to the problem of finding 
out a k x k invertible submatrix of the 2 n ~ 1 x 2 n ~ 1 invertible matrix W = 

nopjvcuj- 1 . 


Theorem 1. [13] Let n = 2t+l, and f an n-variable Boolean function. Then, 
AI(f)= t + 1 if and only if there exist integers 1 < ii < . . . 4 :% < 2 n ~ 1 , 1 < 
ji < . . . < jk < 2 n ~ 1 , such that f = /(u,...,j fc ;ji,...,j fc ) and is 

invertible, where f(i 1 ,...,iyji,...,j k ) is defined as 


fin,. 




,)(X) = 


F n (X) 01 ifX g {Xj,,. . .,X jk ,Y i: .. ..,Y ik } 
F n (X) else 


(1) 
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Construction 1. [13] Let n = 2t + 1. The following method can generate a 
Boolean function of n variables with maximum AI. 

Stepl: Select randomly an integer 1 < k < 2 n ~ 2 and k integers 1 < i\ < . . . < 
ik < 2 n ~ 1 . 

Step2: Find out k integers 1 < j\ < . . . < jk < 2 n ~ 1 , such that the jith, . . 
jfcth column vectors of are linearly independent. 

Then, the Boolean function defined by (1) has AI t + 1. 

Remark 1. 1) For any fixed 1 < k < 2 n ~ 2 and any k integers 1 < ii < . . . < 
ik < 2 n ~ 1 , there always exist k integers 1 < ji < ■ ■ ■ < jk < 2" -1 such that 
is invertible. 

2) Any Boolean function of 2t + 1 variables with maximum AI can be con- 
structed by this method. 

For the rest of this paper, we always suppose n = 2t + 1 . 

4 Properties of W and Several Classes of n - Variable 
Boolean Functions with Maximum AI 

In this section, we first show some important properties of the matrix W = 
F(0fJF(1fJ - 1 , then use these conclusions to obtain some necessary or suffi- 
cient conditions of n - variable Boolean function achieving maximum AI. 

Let A be a 2 n ~ 1 x 2 n ~ 1 matrix, and divide A into (i+1) 2 submatrixes, denoted 
by Aj.j, 1 < i < t + 1, 1 < j < f + 1, defined as 

AiJ = A( T .._ 1 |g^ | _ 1+2 ...,r i ;Sj_i-|-l,s : ,_i+2...,Sj)) 

where 

r o if z = o r o if z = o 
ri ~ lEU (t+k) iC > 0 ’ S '“1 eL=oG) ifi>0 ' 

It is clear that the row (resp. column) vectors of W%j correspond to the vectors 
in with Hamming weight i + t (resp. j — 1). 

Proposition 1. [10] V(lF n )~ 1= V(lF n )- 

Proposition 2. Let W = F(0F n )F(lF n ) _1 , then 

>r«={ 0 

1 rfOjJia else 

where 0 denotes the matrix with all entries 0. 

Proof. By Proposition 1. IF = F(0 fJF(1fJ -1 - F(0fJF(1fJ- Let Y = 
(yi , . . . , y n ) e 0 f„ and wt(Y ) = i > t, x Tl ■ ■ ■ x rj be a monomial of degree j(() < 
j < t). Denote the transpose of the column vector of V ( 1 f„ ) corresponding to 
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Xn ■ • • x rj by u(x ri That is, u(x ri ■ ■ ■ x rj ) is the evaluation of x ri ■ ■ ■ x rj 

at the vectors belonging to 1 p n . We can represent u(x ri • • • x rj ) as 

(g(l),g(x!), . . .,g{x n ),g(xix 2 j,g(xix 3 ), • • • , ^ 

g(x n - !X n ), . . . , g(x i • • • x t ), . . . , g(x t+ 2 ■ ■ ■ x n )), 


where g is a function on the monomials of degree at most t, which satisfies 



On the other hand, we can also represent v(Y) 


(h(l),h(xi ), . . . , h(x n ), h(xiX 2 ), h{x\xz ), . . . , 
h(x n -ix n ), . . . , h(x i • • • x t ), • • • , h(xt + 2 ■ ■ ■ x n )), 


where h is a function on the monomials of degree at most t, which satisfies 


• • • x“ n ) 


lif 

0 


• • x“ n jxf 1 • • • x] { n 
else 


(5) 


Denote the inner product of v(Y) and u(x ri ■ ■ ■ x Tj ) by c. 

If y ri ,...,y rj are not all 1, by (2), (3), (4) and (5), we have c = 0 = 
h(x ri ■ ■ ■ x rj ). If y ri , . . . , y rj are all 1, we have h(x ri ■ ■ ■ x rj ) = 1 and 



It is clear that the row (resp. column) vectors of Wij correspond to the vectors 
in with Hamming weight i + t (resp. j — 1). Therefore, we complete the proof. 

Corollary 1. 1) For any 2 < i < t + 1, = 0. 

2) For any 1 < j < t + 1, Wij = V(0jr n )!j. 

3) For any 1 < i <t + 1, Wi tt + i = V(0F„)i,t+i- 

Proof. 1) If 2 < i< t — 1 and j = t + 2 — i, then 

'® f +i 7 + ‘) = ® ( 2! ; J ) = mod 2 = 0. 

2) If i = 1, then 

® 1 (‘ + ' 7 + ‘) = ®‘ C ' " i + ' 2 ) = 2 ‘- >+2 - 1 mod 2 = L 
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3) If j = t + 1, then 


t-j+i 




We can obtain some necessary conditions of n-variable Boolean functions with 
maximum AI. 

Theorem 2. Let 1 < k < 2 n ~ 1 , 1 < ij < . . . < ik < 2" _1 , 1 < ji < ■ ■ ■ < jk < 
2 n ~ 1 . If there exist 0 < j <t, t + 1 < i < n such that 0 = 0, and 

r = 0 

#{X e {X h ,. . . ,x jk }\wt(X) = j} + #{F e {y ilt . . .,Y ik }\wt(Y) =i}>k, 
then, < t + 1. 

Proof. By Theorem 1, it is sufficient to show that is not invert- 
ible. By Proposition 2 and the first condition, we have that Wi-tj+i = 0. Then 

the second condition implies that has a submatrix with the 

number of rows and columns greater than k whose entries are all 0. Therefore, 
jk) no ^ i nver tihl e - 

Corollary 2. Let 1 < k < 2" _1 , 1 < ii < . . . < ij. < 2 n ~ 1 , 1 < j\ < . . . < jk < 
2 n ~ 1 . If there exists 0 < r < t — 1 such that 

#{X e . .,X jk }\wt(X) = r} + #{Y e {Y h ,. . . , Y ik }\wt(Y) = n - r} > k, 

then, < t+ 1. 

In the following of this section, several classes of n-variable Boolean functions 
with maximum AI are provided. 

Theorem 3. Let 1 < k < 2 n ~ 1 , 1 < i\ < . . . < ij. < 2 n ~ 1 , 1 < ji < ■ ■ . < jk < 

2 n ~ 1 . If the following conditions are both satisfied, then All fn. = 

t + 1 . 

1) There exist 1 < ai < . . . < a s < n, such that Xj rtai = ... = Xj riCla = 0 for 
1 <r<k. 

2) For any Xj r (1 <r<k), there exists correspondingly Y^i € {Y ix , . . . , Y ik }, 
such that yi r ' t a = x j r ,a for a ^ {ai, . . . , a s }, and 

wt(Y ir /) - wt(X jr )\ _ 


Proof. If Xj, , . . . , Xj k and W, , ■ ■ ■ , Y ik satisfy the two conditions, then by Propo- 
sition 2, i s i n ihe form of lower triangular with all entries on 

the diagonal equal to 1. Therefore •••,«) i s invertible, which implies 

that is invertible, and the result holds by Theorem 1. 
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Example 2. Letn = 7,Li = {(1,0, 0,0, 0,0, 0), (0, 1, 1, 0,0, 0,0), (0,0, 1, 1, 0,0,0), 
(l,l,l,0,0,0,0,)}Cl Fn ,L 2 ={(l,0,0,0,l,l,l),(0,l,l,0,l,l,0),(0,0,l,l,0,l,l), 
(1, 1, 1,0, 1, 1, 1, )} C 0 Fn . Then the function 


has AI 4. 


f(X) = 


F n (X) © 1 ifXeLiUL 2 
F n (X) else 


Theorem 4. Let 1 < 2k < 2 n ~ 1 , 1 < ii < . . . < i 2 k < 2 n ~ 1 , 1 < ji < ... < 
J 2 k < 2 n ~ 1 . wt(Xj r ) = w\, wt(Y ir ) = w[ for 1 < r < k, and wt(Xj r ) = W 2 , 
wt(Y ir ) = w' 2 for k + 1 < r < 2k. If one of the following two conditions is 
satisfied, then j ak )) = t + 1. 

1) 0 ( W2 ~ Wl ) and 0 ( Wl ~ w 2 ) are not both 1, and 

r = o r r=o r 

= AI (f(ik+i,-,i2kdk+i,-,i2k)) = t + 1 - 

2) 0 ( Wl f Wl ) and 0 ( W2 ~ W2 ) are not both 1, and 

r=0 r=0 

A Hf(iu..Jm^...J^) = A nf(i^,..,i ^ ..,»)) = * + 1 - 

Proof. Let M denote the 2k x 2k matrix H'Vm T he first condition 

implies that an d A/(a—i 2 A-:fc 4 are both invertible, and at 

least one of and is 0 . Then, M is invertible, 

and the result holds by Theorem 1. 

If the second condition is satisfied, the result can be proved in the same way. 

Example 3. Let n = 7, Li={(0,0, 0,0, 1, 1, 0), (0, 0,0, 0, 1,0, 1), (0,0,0, 0, 0, 1, 1), 
(1, 1, 0, 0, 1, 0, 0), (1, 1, 0, 0, 0, 1, 0),(1, 1, 0, 0, 0, 0, 1)}, Z,2={(1, 1, 0, 0, 1, 1, 0), (1, 1, 
0 , 0 , 1 , 0 , 1 ),( 1 , 1 , 0 , 0 , 0 , 1 , 1 ),( 1 , 1 , 1 , 1 , 1 , 0 , 0 ), ( 1 , 1 , 1 , 1 , 0 , 1 , 0 ), ( 1 , 1 , 1 , 1 , 0 , 0 , 1 )}. 
Then the function 

F n{X)mi ifXeLlUL, 

F n (X) else 

has AI 4. 


Theorem 5. Let 1 < k < n, Y tl , . . . , Y ik belong to 0 Frl and their Hamming 
weight are w \, . . . , Wk, respectively. If 

1) 0 ( u,i r _1 ) = 1 f or 1 < * < k, and 

r=0 

2) there exist 1 < ji < . . . < jk < n, such that the j\ th, . . j^th column of 

f Y A 

the matrix I . . . I are linearly independent, 

\ Y ikJ 

then, Mtf(i 1 ,...,i k -,j 1+ i,..., jk +x}) = t+ 1. 

Proof. By Proposition 2, W (ii ik . Jl+1 , k+1) is invertible if the two conditions 
are both satisfied, and the result holds by Theorem 1. 
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Example 4 . Let n = 7, Li={(l, 0,0, 0,0, 0,0), (0, 1, 0,0,0, 0, 0), (0,0, 1, 0,0, 0,0)}, 
L 2 ={(1, 0,1, 0,1, 1,1), (0,1, 1,0, 1,0,1), (1,1, 1,1, 0,1,0)}. Then the function 

j./ y, ( F n (X) © 1 if X € Li U L2 

tW-i F n (X) else 

has AI 4. 


5 Nonlinearity and Resilience of Boolean Functions with 
Maximum AI 

At first, we give the Walsh spectra of majority functions. Note that although the 
first item and the case of wt(S) = 1 in the second item in the following lemma 
have been given in [9], we still give the proof for completeness. 

Lemma 2. Let S € W%. 

1) Ifwt(S) is even, then W'V n (<S') = 0. 

2) Ifwt(S) is odd, then 


(wt(S)- 1)/2 

I[ i^- 

Proof. Since (—l) sx = Ki(wt(S),n),-weha,ve 

wt(X)=i 


W Fn (S) = ]T K^wm.n) - ]T A -iM5),«), (6) 

*=t+ 1 *= 0 

where Ki(k,n) is the so-called Krawtchouk polynomial [15, Page 151, Part I] 
defined by 

^»)=D-F ())(::}),*= 

Krawtchouk polynomials also have properties [15, Page 153, Part I] as follows. 

PI. Ki(k,n) = (-1 ) k K n _i(k,n). 

P2. Ki(k, n) = K e (k - 1, n - 1). 

P3. (n — k)Ki(k + l,n) = (n— 2 i)Ki(k,n) — kKi(k — 1 ,n) for nonnegative 
integers i and k. 

If wt(S) is even, then by (6) and PI, we have WF n (S) = 0. 

If wt(S) is odd, then by (6), PI and P2, we have 


W Fn (S) = -2 ^2Ki(wt(S),n) = -2 K t (wt(S) - l,n- 1). 

i=0 

By the definition of Krawtchouk polynomials, we have K t (k,n — 1) = 0 if k is 
odd. Thus by P3, we have 
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(wt(S)- 1)/2 

W Fn (S) = (-iy wt ( s '>- 1 V 2+1 2K t (0,n-l) 


= (•_ 1 )(^(S)+l)/2 2 / 


(«,t(S)-l)/2 

n 


2 * — 1 
n-2i 


Lemma 3. Let S,T £ F%. 

1) Ifwt(S) + wt(T) = n — 1 . then W F „(S) = (-1 yW Fn {T). 

2) If both wt(S) and wt(T) are odd, and 0 < wt(S) < wt(T) < t + 1, then 
\W Fn (S)\ > \W Fn (T)\. 

Proof. 1) Since Krawtchouk polynomials have the following property, 

Ki(k, n) = (— 1 yKi(n — k,n), 


we have that 

W Fn {S) = -2 K t (wt(S) - l,n - 1) 

= — 2(— — 1 — (wt(S) — l),n — 1) 

= -2(-iyK t (wt(T) - 1, n - 1) = (-1 YW Fn (T). 

2) It is obvious from the second item of Lemma 2. 

Remark 2. By Lemma 3, we have 

max|WV n (T)| = |W Fn (Sr)| = \W Fn (S n )\ = 2^ ~ ^ , 
where wt(Si) = 1, wt(S n ) = n. Therefore, nl(F n ) = 2 n ~ 1 — ( n “ 1 ) [9]. And 

= dh("7 O' 

where wt(Ss) = 3, wt(S n - 2 ) = n — 2. We note that the difference between the 
maximal and the secondarily maximal absolute value of Walsh spectra is quite 
great, which is 



Algebraic immunity has the following relationship with nonlinearity. 
Lemma 4. [If] Let f be an n-variable Boolean function, AI(f ) = k, then 


and this bound is tight. 
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Remark 3. Lemma 4 together with Remark 2 implies that F n has the worst 
nonlinearity among all n - variable Boolean functions with maximum AI. 

Theorem 6. The Walsh spectra of f = is given by 

k k 

W f (S) = W Fn ( S ) - 4(E S • X 0r ~ E 5 • 

r= 1 r= 1 


Proof 

Wf (S) = E (-i)W^; { -iyWr)+s.Y r 

= ^ ^_^F n (X r )+S-X r + '^2(_ 1 }F n (.X jr )+l+S-X }r ^ ? 

refl.-.a— 1 r=l 

Y (_i-)F n (Y r )+s-Y r + y (_i)W r w+-sn r 

= W Fn (S) - 2(Y (-I)*«W+*** + Y (-l) F " (y - )+S ' y -) 

= W Fn (S) - 2(Y (-1) 1+S ' X - + E (-!) S '^) 

r = 1 r = 1 

= W Fn (S) - 2(E (25 • Xj r - 1) + E (1 - 25 • Yi,)) 

r = 1 r= 1 

= W Fn (5) - 4(E 5 • - E 5 • F ir ). 


From the above analysis in this section, some necessary conditions of Boolean 
functions with maximum AI and these functions which also have higher nonlin- 
earity than that of F n can be obtained. 

Theorem 7. Let 1 < k < 2 n_1 , 1 < i\ < . . . < ik < 2 n ~ 1 , 1 < ji < ■ ■ ■ < jk < 
2 n ~ 1 . If one of the following conditions is satisfied, then AI(f( i 1 ,...,i k; j 1 ,...,j k )) < 
t + 1. 

1 ) There exists 1 < r < n, such that Xf 0 + ■ . ■ + Xj k >r > yh, r + • • • + Vi k ,r- 

2) If n = 1 mod 4> 

#{X e {Xj x , . ■ -,X jk }\ wt(X) is odd} > #{Y e {Y ix , . . . ,Y ik }\wt(Y) is odd}-, 
if n = 3 mod 

#{X e {X jt .. . .,X jk }\ wt(X) is odd} < #{Y e IK,,. • . ,Y ik }\wt(Y) is odd}. 
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Proof. By Theorem 6, the first condition means that | Wf (ii f > (<S r ) | > 

|tr Fn (S')| for S = (0, ... ,0,1,0, ... ,0). Thus, we have < 

r—1 

nl(F n ) by Remark 2 . Therefore, by Remark 3, we have AI(f^ 1 ,...,i h -,j x ,...j k )) < 
14 1. 

If the second condition is satisfied, then |W/ (4 ((S') | > |Wf„( 5)| for 

S = (1, 1, . . . , 1). In the same way, the result can be proved. 

Theorem 8. Let f = /(jj, .. ,,j k ) be an n-variable Boolean function with 
AI t + 1. If one of the following conditions is satisfied, then f has the worst 
nonlinearity among all n-variable Boolean functions with maximum AI. 

1 ) There exists 1 < r < n, such that x ji,r + ■ ■ ■ + Xj k ,r ~ Vi u r + • ■ • + Vi k ,r- 

2) #{X£{X jl ,...,X jk }\wt(X) is odd} = #{Y£{Y il , . . . ,Y ik }\wt(Y) is odd}. 

Proof. By Theorem 6, the first condition means that | W/ {4i 4 ^ j } (5)| = 
|W'f„(£')| for S = (0, . . . ,0, 1, 0, . . . , 0). Thus, we have < 

nl(F n ) by Remark 2 . Therefore, by Remark 3, we have = 

nl(F n ), and the result is proved. 

If the second condition is satisfied, then |W) ((i (ti/i (S)| = |Wf„(< 5)| for 

S = (1, 1, ... , 1). In the same way, the result can be proved. 

Corollary 3. For any 1 < i,j < 2 n_1 , if AI{f^j)) = t+ 1 then f^.j) has the 
worst nonlinearity among all n-variable Boolean functions with maximum AI. 

Proof. From Theorem 8, it is sufficient to consider the case of * = 2 n ~ 1 , j = 1, i.e. 
X = (0, 0, . . . , 0), Y = (1, 1, . . . , 1). In this case, from the first item of Corollary 
1 we have Al(f^.j)) <t + 1 which contradicts the assumption. 

Theorem 9. If 1 < k < L (”- 1 ), then nl(f(i 1 ,...,i k -,j 1 ,...,j k )) is given by 

2 " _1 - t ^ 
where 

Ni = #{F £ {Y h ,. . . , Y ik }\wt(Y) is odd }, 

N 2 = #{X £ {X h , . . . , X jk }\ wt(X) is odd }. 

Proof. Denote f(i u ...,i k -,j lt ...,j k -,) by /. From Theorem 6 we have, 

\W Fn (S)\-Ak<\W f (S)\ < \W Fn (S)\ + 4k. 

Let S,T £ F£, and wt(S) = 1 or n, wt(T) £ {l,n}. If 1 < k < 4 (”T 3 2 ) (”7*)’ then 
by Remark 2, 


1^/(5) I > \W Fn (S)\ - > \W Fn (T)\ + 4 k> \W f (T)\. 
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Therefore, we have maxTgFj|W/(T)| = max u;t (g) = i i „|fT/(S')|. 

Case 1. wt(S) = 1 and S = (0, . . . , 0, 1, 0, . . . , 0). By Theorem 6 we have 

s-1 

|W7(S)I = 2( n ~ - 4 -!>>.•)■ 

Case 2. wt(S) = n. By Theorem 6 we have 

Hence the result holds from nl(f) = 2" _1 — ^maxg 6 Fj|H ; ’/(S')|. 

Now, we modify Construction 1 to construct n-variable Boolean functions 
with maximum AI and possibly having higher nonlinearity. 

Construction 2. Stepl: Select randomly an integer 1 < k < 2 n ~ 2 and k integers 
1 < < . . . < ife < 2 n_1 , which satisfy 

i) ^ nun Vi r ,s is as large as possible; 

ii) if n = 1 mod 4, #{Y 6 {Y i± , . . . ,Y ik }\wt(Y) is odd } is as large as 
possible; if n = 3 mod 4, #{F £ {Y .^ , . . . , Y ik }\wt(Y) is even } is as large as 
possible. 

Step2: Find out k integers 1 < j\ < . . . < jk < 2 n ~ 1 , which satisfies 

i) the jith, . . ., jfcth column vectors of W(n,...,i k ) are linearly independent; 

ii) a = min y lryS — J2 x j r ,s) is as large as possible; 

l<s<n r=1 r=i 

iii) if n = 1 mod 4, 

b= #{Ye{Y il ,...,Y ik }\wt(Y) is odd }-#{X£{X h , . . . ,X jk }\ wt(X) is odd } 
is as large as possible; if n = 3 mod 4, 

c=#{Xe{X h ,...,X jk }\ wt(X) is odd }-#{Ye{Y il ,...,Y ik }\wt(Y) is odd } 
is as large as possible. 

Then, the Boolean function /’(* 1 . , j fc ) defined by (1) has AI t + 1 and 

has possibly a higher nonlinearity. 

Remark Jy. From Theorem 9, the function obtained by Construction 2 will has 
a higher nonlinearity than that of F n if 1 < k < 4 ^1 3 2 ) and a > 0, b > 0 
(if n = 1 mod 4) or c > 0 (if n = 3 mod 4), and it possibly has a nonlinearity 
equal to that of F ” if k > 4(n-2) ■ 

Further, the following theorem provides a class of n-variable Boolean functions 
with maximum AI which also have higher nonlinearity than that of F n . 
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Theorem 10. Let n = 3 mod 4, 1 < k < min{n, _ 3 2 ) ( n 1 1 )} ? Yi Y ik 

belong to 0 f„ and their Hamming weights are w\ ,... ,Wk, respectively. If 

1) ® ( u ' i_1 ) = 1, i = 1, . . . , k; and 

r = o 

2) wi,. . . ,Wk are not all odd; and 

3) there exist 1 < ji < . . . < jk < n, such that the jith, . . jkth columns of 

f Y A 

the matrix I • • • I are linearly independent; and 

\YiJ 

4) for any s £ {j i, . . . ,j k }, Vh, s + ■ ■ - + Vi k ,s > 1/ and for any s e {j i, . . . ,jk}, 

Vii,s + • • • + Vi k ,s > 2. 

then, A/(/ ( j l! ... iifc . jl+li ... ijfc+ i))=t+l and nl(f( iu ... tikdl+ i,...,j fc +i)) > nl(F n )+ 2. 

Example 5. The Boolean function defined in Example 4 has AI 4. And nl(f) = 
nl{F n ) + 2. 

Finally, we obtain the following sufficient and necessary condition of Boolean 
functions with maximum AI which are also resilient functions. 

Theorem 11. Let f = f(i 1 ,...,i k -,j 1 ,...,j k ) be an n-variable Boolean junction. Then, 
f is 1-resilient function if and only if 



for s n. 

Corollary 4. Let f = f{i 1 ,...,i k ^j 1 ,...,j k ) be an n-variable Boolean function. Then, 
f is 1-resilient function and has AI t + 1 if and only if 


'Ey 


... i k ) is invertible. 


6 Conclusion 

Possessing a high algebraic immunity is a necessary condition for Boolean func- 
tions used in stream ciphers against algebraic attacks. In this paper, some classes 
of (2t + Invariable Boolean functions with maximum AI are obtained. Further, 
some necessary conditions of this kind of functions which also have higher non- 
linearity are presented and thus a modified construction method is proposed to 
obtain such functions. Finally, a sufficient and necessary condition of (2 1 + 1)- 
variable Boolean functions with maximum AI which are also 1-resilient is pre- 
sented. However, it is still open that what is the highest nonlinearity of Boolean 
functions with maximum AI and how to construct Boolean functions which have 
maximum AI and the highest nonlinearity. 
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Abstract. There have been active discussions on how to derive a con- 
sistent cryptographic key from noisy data such as biometric templates, 
with the help of some extra information called a sketch. It is desirable 
that the sketch reveals little information about the biometric templates 
even in the worst case (i.e., the entropy loss should be low). The main 
difficulty is that many biometric templates are represented as points in 
continuous domains with unknown distributions, whereas known results 
either work only in discrete domains, or lack rigorous analysis on the 
entropy loss. A general approach to handle points in continuous domains 
is to quantize (discretize) the points and apply a known sketch scheme in 
the discrete domain. However, it can be difficult to analyze the entropy 
loss due to quantization and to find the “optimal” quantizer. In this 
paper, instead of trying to solve these problems directly, we propose to 
examine the relative entropy loss of any given scheme, which bounds the 
number of additional bits we could have extracted if we used the optimal 
parameters. We give a general scheme and show that the relative entropy 
loss due to suboptimal discretization is at most (n log 3) , where n is the 
number of points, and the bound is tight. We further illustrate how our 
scheme can be applied to real biometric data by giving a concrete scheme 
for face biometrics. 

Keywords: Secure sketch, biometric template, continuous domain. 


1 Introduction 

The main challenge in using biometric data in cryptography is that they cannot 
be reproduced exactly. Some noise will be inevitably introduced into biometric 
samples during acquisition and processing. There have been active discussions 
on how to extract a reliable cryptographic key from such noisy data. Some 
recent techniques attempt to correct the noise in the data by using some public 
information P derived from the original biometric template X. These techniques 
include fuzzy commitment [12], fuzzy vault [11], helper data [19], and secure 
sketch [7]. In this paper, we follow Dodis et al. [7] and call such public information 
P a sketch. 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 99-113, 2006. 

© International Association for Cryptologic Research 2006 
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Typically, there are two main components in a secure sketch scheme. The first is 
the sketch generation algorithm, which we will refer to as the encoder. It takes the 
original biometric template X as the input, and outputs a sketch P. The second al- 
gorithm is the biometric template reconstruction algorithm, or the decoder , which 
takes another biometric template Y and the sketch P as the input and outputs X' . 
If Y and X are sufficiently similar according to some similarity measure, we will 
have X = X' . An important requirement for such a scheme is that the sketch P 
should not reveal too much information about the biometric template X. Dodis 
et al. [7] gives a notion of entropy loss, which (informally speaking) measures the 
advantage that P gives to any adversary in guessing X, when X is discrete in na- 
ture (Section 3 provides the details) . It is worth to note that the entropy loss is a 
worst case bound for all distributions of X. 

There are several difficulties in applying many known secure sketch tech- 
niques to known types of biometric templates directly. Firstly, many biometric 
templates are represented by sequences of n points in a continuous domain (say, 
R), or equivalently, points in an n-dimensional space (say, R"). In this case, 
since the entropy of the original data can be very large, and the length of the 
extracted key is typically quite limited, the “entropy loss” as defined in [7] can 
be very high for any possible scheme. For example, X is often a discrete approx- 
imation of some points in a continuous domain (e.g., decimal fractions obtained 
by rounding real numbers). As the precision of X gets higher, both the entropy 
of X and the entropy loss from P become larger, but the extracted key can 
become stronger. Hence, this notion of entropy loss alone is insufficient, and the 
seemingly high entropy loss for this type of biometric data would be misleading. 
We will discuss this issue in detail in Section 4, and give a complimentary defini- 
tion of relative entropy loss for noisy data in the continuous domain. Informally 
speaking, the relative entropy loss of a sketch measures the imperfectness of the 
rounding, which is the maximum amount of additional entropy we can obtain 
by the “optimal” rounding. At the same time, the entropy loss from P serves as 
a measure of the security of the sketch in the discrete domain. 

Secondly, even if the biometric templates are represented in discrete form, 
there are practical problems when the entropy of the original template is high. 
For example, the iris pattern of an eye can be represented by a 2048 bit binary 
string called iris code, and up to 20% of the bits could be changed under noise 
[9]. The fuzzy commitment scheme based on binary error-correcting codes [12] 
seems to be applicable at the first glance. However, it would be impractical to 
apply a binary error-correcting code on such a long string with such a large 
error-correcting capability. A two-level error-correcting technique is proposed in 
[9], which essentially changes the similarity measure. As a result, the space is no 
longer a metric space. 

Thirdly, the similarity measures for many known biometric templates can 
be quite different from those considered in many theoretical works (such as 
Hamming distance, set difference and edit distance in [7]). This can happen as 
a result of technical considerations (e.g., in the case of iris codes). However, 
in many cases this is due to the nature of biometric templates. For instance, 
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a fingerprint template usually consists of a set of minutiae (feature points in 
2-D space), and two templates are considered as similar if more than a certain 
number of minutiae in one template are near distinct minutiae in the other. In 
this case, the similarity measure has to consider both Euclidean distance and set 
difference at the same time. 

The secure sketch for point sets [5] is perhaps the first rigorous approach to 
similarity measures that do not define a metric space. A generic scheme is pro- 
posed in [5] for point sets in bounded discrete d-dimensional space for any d, 
where the underlying similarity measure is motivated by the similarity measure 
of fingerprint templates. While such a scheme is potentially applicable to fin- 
gerprints represented as minutiae, other types of biometrics are different both 
in representations and similarity measures, thus require different considerations 
and different schemes. 

In this paper, we study how to design secure sketch for biometric templates, 
where the worst case bound can be proved. We observe that many biometric 
templates can be represented in a general form: The original X can be considered 
as a list of n points, where each point x of X is in a bounded continuous domain. 
Under noise, each point can be perturbed by a distance less than 6, and on top 
of that, at most t points can be replaced. Similar to [5], we will refer to the 
first noise as the white noise, and the second replacement noise. We note that 
this similarity measure can be applied to handwritten online signatures [8], iris 
patterns [9], voice features [15], and face biometrics [17]. This formulation is 
different from that in [5] in two ways: (1) The points are in a continuous domain, 
and (2) the points are always ordered. 

To handle points in continuous domain, a general two step approach is to 

(1) quantize (i.e., discretize) the points in X to a discrete domain with a scalar 
quantizer Q\, where A is the step size, and (2) apply secure sketch techniques on 
the quantized points X = Q\(X) in the quantized domain, which is discrete. For 
example, if points in X are real numbers between 0 and 1, assume that we have 
a scalar quantizer Q\ with step size A = 0.01, such that Q\(x) = x if and only 
if xX < x < (x + 1)A, then every point in X would be mapped to an integer in 
[0, 99]. After that, we can apply a secure sketch for discrete points in the domain 
[0,99] n to achieve error-tolerance. 

However, there are two difficulties when this approach is applied. Firstly, if we 
follow the notion of secure sketch and entropy loss as in [7] , the quantization error 
X — X in the first step has to be kept in the sketch, since exact reconstruction of 
X is required by definition. However, it can be difficult to give an upper bound on 
the entropy loss from the quantization errors. Even if we can, it can be very large. 

Furthermore, as the quantization step A becomes very small, the bound on the 
entropy loss in the quantized domain during the second step can be very high. For 
instance, for x e [0, 1) and <5 = 0.01, when A = 0.01, the entropy loss in Step 

(2) will be log 3, and the bound is tight. When A = 0.001, the entropy loss will 
be log 21. However, the big difference in entropy loss in the quantized domain can 
be misleading. We will revisit this example in Section 5, and will show that the 
second case actually results in a stronger key if X is uniformly distributed. 
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To address the above problems, we consider the following strategy. Instead of 
trying to answer the question of how much entropy is lost during quantization, 
we study how different quantizers affect the strength of the key that we can 
finally extract from the noisy data. In particular, given a secure sketch scheme 
in the discrete domain and a quantizer Qi with step size Ai, we consider any 
quantizer Q 2 with step size A 2 . Assuming that mi and m 2 are the strengths of 
the keys under these two quantizers respectively, we found that it is possible to 
give an upper bound on the difference between mi and m 2 , for any distribution 
of X, and any choices of A 2 (hence Q 2 ) within a certain range. This bound can 
be expressed as a function of Ai . In other words, although we do not know what 
is the exact entropy loss due to the quantizer Q 1} we do know that at most how 
far away Qi can be from the “optimal” one. Based on this, we give a notion 
of relative entropy loss for data in continuous domain. Furthermore, we show 
that if X is uniformly distributed, the relative entropy loss can be bounded by 
a constant for any choice of Ai. 

To illustrate how our general approach can be applied to practical biometric 
templates, we give a scheme based on the authentication scheme for face biomet- 
rics in [17]. We will also discuss some practical issues in designing secure sketch 
schemes for biometric templates. 

We note that our proposed schemes and analysis can be applied for two parties 
to extract secret keys given correlated random variables (e.g., [14]), where the 
random variables take values in a continuous domain (e.g. K). The entropy loss 
in the quantized domain measures how much information can be leaked to an 
eavesdropper, while the relative entropy loss measures how many additional bits 
that we might be able to extract. 

We will give a review of related works in Section 2, followed by some pre- 
liminary formal definitions in Section 3. Our definition of secure sketch and its 
security will be presented in Section 4. We give a general similarity measure and 
our proposed schemes in Section 5, together with a security analysis and some 
discussions on choosing the parameters. A concrete secure sketch scheme for face 
biometrics will be given in 6. 

2 Related Works 

It is not surprising that the construction of the sketch largely depends on the 
representation of the biometric templates and the underlying distance function 
that measures the similarity. Most of the known techniques assume that the 
noisy data under consideration are represented as points in some metric space. 
The fuzzy commitment scheme [12], which is based on binary error-correcting 
codes, considers binary strings where the similarity is measured by Hamming 
distance. The fuzzy vault scheme [11] considers sets of elements in a finite field 
with set difference as the distance function, and corrects errors by polynomial 
interpolation. Dodis et al. [7] further gives the notion of fuzzy extractors, where a 
“strong extractor” (such as pair-wise independent hash functions) is applied after 
the original X is reconstructed to obtain an almost uniform key. Constructions 
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and rigorous analysis of secure sketch are given in [7] for three metrics: Hamming 
distance, set difference and edit distance. Secure sketch schemes for point sets in 
[5] are motivated by the typical similarity measure used for fingerprints, where 
each template consists of a set of points in 2-D space, and the similarity measure 
does not define a metric space. 

On the other hand, there have been a number of works on how to extract 
consistent keys from real biometric templates, which have quite different rep- 
resentations and similarity measures from the above theoretical works. Such 
biometric templates include handwritten online signatures [8], fingerprints [20], 
iris patterns [9], voice features [15], and face biometrics [17]. These works, how- 
ever, do not have sufficiently rigorous treatment of the security, compared to 
well-established cryptographic techniques. Some of the works give analysis on 
the entropy of the biometrics, and approximated amount of efforts required by 
a brute-force attacker. 

Boyen [2] shows that a sketch scheme that is provably secure may be insecure 
when multiple sketches of the same biometric data are obtained. Boyen et al. 
further study the security of secure sketch schemes under more general attacker 
models in [1] , and techniques to achieve mutual authentication are proposed. 

Linnartz and Tuyls [13] consider a similar problem for biometric authentica- 
tion applications. They consider zero mean i.i.d. jointly Gaussian random vectors 
as biometric templates, and use mutual information as the measure of security 
against dishonest verifiers. Tuyls and Goseling [19] consider a similar notion of 
security, and develop some general results when the distribution of the original 
is known and the verifier can be trusted. Some practical results along this line 
also appear in [18]. 


3 Preliminaries 

3.1 Entropy and Entropy Loss in Discrete Domain 

In the case where X is discrete, we follow the definitions by Dodis et al. [7]. They 
consider a variant of the average min-entropy of X given P, which is essentially 
the minimum strength of the key that can be consistently extracted from X 
when P is made public. 

In particular, the min-entropy of a discrete random variable A is 

defined as 1100 (A) = — log(max a Pr[A = a]). For two discrete random variables 
A and B, the average min-entropy of A given B is defined as Hoc (A \ B) = 
-log(E^ B [2- H »^ B = 6 )]). 

For discrete X, the entropy loss of the sketch P is defined as B = H^iX) — 
Hoo(X|P). This definition is useful in the analysis, since for any Gbit string B, 
we have Hoc (A | B) > Hoc (A) — G For any secure sketch scheme for discrete X, 
let R be the randomness invested in constructing the sketch, it is not difficult to 
show that when R can be computed from X and P, we have 
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In other words, the entropy loss can be bounded from above by the difference 
between the size of P and the amount of randomness we invested in computing 
P. This allows us to conveniently find an upper bound of C for any distribution 
of X, since it is independent of X. 

3.2 Secure Sketch in Discrete Domain 

Our definitions of secure sketch and entropy loss in the discrete domain follow 
that in [7]. Let M. be a finite set of points with a similarity relation S C M. x At. 
When (X, Y) g S, we say the Y is similar to X, or the pair (X, Y) is similar. 

Definition 1. A sketch scheme in discrete domain is a tuple (At, S, Enc, Dec), 
where Enc : M. — > {0, 1}* is an encoder and Dec : M. x {0, 1}* — > M. is a decoder 
such that for all X, Y g M, Dec(Y, Enc(X)) = X if (X,Y) 6 S. The string 
P = Enc(X) is the sketch, and is to be made public. We say that the scheme is 
C-secure if for all random variables X over M., the entropy loss of the sketch P 
is at most C. That is, H^X) - H 00 (X | Enc(X)) < C. 

We call Hoc (X \ P ) the left-over entropy, which in essence measures the “strength” 
of the key that can be extracted from X given that P is made public. Note that 
in most cases, the ultimate goal is to maximize the left-over entropy for some par- 
ticular distribution of X. However, in the discrete case, the min-entropy of X is 
fixed but can be difficult to analyze. Hence, entropy loss becomes an equivalent 
measure which is easier to quantify. 

4 Secure Sketch in Continuous Domain 

In this section we propose a general approach to handle noisy data in a contin- 
uous domain. We consider points in a universe U, which is a set that may be 
uncountable. Let S be a similarity relation on U, i.e., S CUxU. Let At be a 
set of finite points, and let Q : U — > M be a function that maps points in U to 
points in At. We will refer to such a function Q as a quantizer. 

Definition 2. A quantization-based sketch scheme is a tuple (ZL,S,Q,Af .Enc.Dec) , 
where Enc : At — > {0, 1}* is an encoder and Dec : At x {0, 1}* — » At is an decoder 
such that for all X,Y € U, Dec(Q(Y), Enc(Q(X))) = Q(X) if(X,Y) g S. The 
string P = Enc(Q(X)) is the sketch. We say that the scheme is C-secure in the 
quantized domain if for all random variable X over Li, the entropy loss of P is at 
mostC, i.e., H 00 (Q(X)) - H^^X) | Enc(Q(X))) < C. 

In other words, a quantization is applied to transform the points in the con- 
tinuous domain to a discrete domain, and a sketch scheme for discrete domain 
is applied to obtain the sketch P. During reconstruction, we require the exact 
reconstruction of the quantization Q(X) instead of the original X in the contin- 
uous domain. When required, a strong extractor can be further applied to Q(X) 
to extract a key (as the fuzzy extractor in [7]). That is, we treat Q(X) as the 
“discrete original”. Similarly, we call H 00 (Q(X) | P) the left-over entropy. 
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When Q is fixed, we can use the entropy loss on Q(X) to analyze the security 
of the scheme, and bound the entropy loss of P. However, using this entropy loss 
alone may be misleading, since there are many ways to quantize X, and different 
quantizer would make a difference in both the min-entropy of Q(X) and the 
entropy loss. Since our ultimate goal is to maximize the left-over entropy (i.e., 
the average min-entropy H oc (Q(W) | P)), the entropy loss alone is not sufficient 
to compare different quantization strategies. 

To illustrate the subtleties, we consider the following example. Let a; be a point 
uniformly distributed in the interval [0, 1), and under noise, it can be shifted but 
still within the range [x — 0.01, x + 0.01). We can use a scalar quantizer Qi with 
step size 0.01, such that all points in the interval [0, 1) are mapped to integers 
[0,99]. In this case, the min-entropy Hoo(Qi(a;)) = log 100. As we can see later, 
there is an easy way to construct a secure sketch for such Qi(x) with entropy 
loss of log 3. Hence, the left-over entropy is log(100/3) s=s 5.06. Now we consider 
another scalar quantizer Q 2 with step size 0.001, such that the range of Q 2 (x) is 
[0, 999]. A similar scheme on Q 2 (x) would give entropy loss of log 21, which seems 
much larger than the previous log 3. However, the min-entropy of Q 2 (x) is also 
increased to log 1000, and the left-over entropy would be log(1000/21) ts 5.57, 
which is slightly higher than the case where Qi is used. 

Intuitively, for a given class of methods of handling noisy data in the quantized 
domain, it is important to examine how different precisions of the quantization 
process affect the strength of the extracted key. For this purpose, we propose 
to consider not just one, but a family of quantizers Q, where each quantizer Q 
drawn from Q defines a mapping from U to a finite set Mq. Let M be the set 
of such M q for all Q € Q. We also define a family of encoders E and decoders 
D, such that for each Q and Mq, there exist uniquely defined Encg e E and 
Decg e D that can handle Q{X) in Mq. 

Definition 3. A quantization-based sketch family is a tuple (U, S, Q, M, E, D), 
such that for each quantizer Q € Q, there exist M € M, Enc e E and Dec 6 D, 
and (U, S, Q, M , Enc, Dec) is a quantization-based sketch scheme. We say that 
such a scheme is a member of the family, and is identified by Q. 

Definition 4. A quantization-based sketch family (It, S, Q, M, E, D) is (L, R)- 
secure for functions L, R : Q — '% M if for any member identified by Qi (with 
encoder Enci,) it holds that 

1. This member is L(Qi)-secure in the quantized domain; and 

2. For any random variable X, and any member identified by Q 2 (with encoder 
E.nz 2 ), we have 

Hoc (G 2 PO I Enc 2 (Q 2 (X))) — H 00 (Q 1 (X) | Enci(Qi(A:))) < R(Qi). 

In other words, to measure the security of the family of schemes, we examine two 
aspects of the family. Firstly, we consider the entropy loss in the quantized do- 
main for each member of the family. This is represented by the function L, which 
serves as a measure of security when the quantizer is fixed. Secondly, given any 
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quantizer in the family, we consider the question: If we use another quantizer, how 
many more bits can be extracted? We call this the relative entropy loss, which is 
represented by the function R. 

We observe that for some sketch families, the relative entropy loss for any given 
member can be conveniently bounded by the size of of the sketch generated by 
that member. We say that such sketch families are well-formed. More precisely, 
we have 

Definition 5. A quantization-based sketch family {U, S,Q,M,E,D) is well- formed 
if for any two members (U,S,Qi,M i,Enci,Deci) and (U, S, Q2, M2, Enc2, Dec2), it 
holds for any random variable X that 

Hoo (Qi{X) I (Pi,P 2 » = Hoo (Q 2 PO | (Pi,P 2 )) ( 2 ) 

where Pi = Enci(Qi(W)) and P2 = Enc2(Q2pO)- 

Theorem 1. For any well-formed quantization-based sketch family, given any 
two members (U, S, Qi, M 1, Enci, Deci) and (U, S, Q2, M2, Enc2, Dec2), it holds 
for any random variable X that 

Hoo(Q2(X) I P 2 ) - Hoo(QipO I Pi) < |Pi| 
where P\ = Enci(Qi(W)) and P2 = Enc2(Q2pO)- 

Proof: First, it is not difficult to show that for any random variables A, B and 
C, we have 

Hoc (.4 | B) - \C\ < Hoo(A | {B,C)) < Hoo(A | B). ( 3 ) 

Let X-\ = Qi (X) and X2 = QiiX). Since the sketch family is well-formed, 

Hoo (Xi I (Pi, P 2 >) = Hoo (x 2 I (Pi, P 2 )) • (4) 

Substituting B by Pi, C by P>, and A by X\ and X 2 respectively in ( 3 ), we have 
Hoo (X 2 | P 2 ) -|P,| < Hoo (X 2 | (Pi,P 2 )) 

= Hoo (Xi | (Pl,P 2 )) < Hoo (*i | Pi) ■ 

□ 


5 A General Scheme for Biometric Templates 

We observe that many biometric templates can be represented as a sequence of 
points in some bounded continuous domain. There are two types of noise that 
can occur. The first noise, white noise, perturbs each points by a small distance, 
and the second noise, replacement noise, replaces some points by different points. 
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Without loss of generality, we assume that each biometric template X can be 
written as a sequence X = {x \ , x- 2 , ■ ■ ■ , x n ), where each i,el and 0 < Xi < 1. 
In other words, X £ IA = [0, l) n . For each pair of biometric templates X and 
Y, we say that (X,Y) £ S if there exists a subset C of {1, • • • ,n}, such that 
\C\ > n — t for some threshold t, and for every i £ C, it holds that x, — y, : < S, 
for some threshold 5. 

Similar to the two-part approach in [5], we construct the sketch in two parts. 
The first part, the white noise sketch, handles the white noise in the noisy data, 
and the second part, the replacement noise sketch, corrects the replacement noise. 
We will concentrate on the white noise sketch in this paper, and the replacement 
noise sketch can be implemented using a known secure sketch scheme for set 
difference (e.g., that in [7,3]). 

5.1 Proposed Quantization-Based Sketch Family 

Each member of the family is parameterized by a A such that A £ K and 0 < 
A< 5. 

Quantizer Q\. Each quantizer Q\ in Q is a scalar quantizer with step size 
A £ 1. For each x £ U, Q\(x) = x if and only if Ax < x < A(x + 1), and 
the quantization of X is defined as X = Q\(X) = (Q\(x\), ■ ■ ■ , Q\(x n )). The 
corresponding quantized domain is thus M\ = [0, [ y]] n - The encoders and the 
decoders work only on the quantized domain. The white noise appeared in the 
quantized domain is of level 8\ = [<5/ A]. In other words, under white noise, a 
point x in the quantized domain can be shifted by a distance of at most 5\. Let 
us denote A\ = 2 5\ + 1. 

Codebook C\. Furthermore, for each quantized domain A4\ we consider a code- 
book C\, where every codeword c £ C\ has the form c = kA\ for some 
non-negative integer k. We use C\(-) to denote the function such that given 
a quantized point x, it returns a value c = C\(x) such that \x — c\ < 8\. That is, 
the functions finds the unique codeword c that is nearest to x in the codebook. 

Encoder Enc^ . Given a quantized X £ M.\, the encoder Enc^ does the following. 

1. For each x t £ X, compute c, : = C\(xi): 

2. Output P = EncA(fY') = (di, ■ ■ ■ , d n ), where d* = — Ci for 1 < i < n. 

In other words, for every Xi, the encoder outputs the distance of Xi from its 
nearest codeword in the codebook C\. 

Decoder DecA- For a corrupted template Y, it is first quantized by Y = Q\(Y). 
Given P = (di, • • • , d n ) and Y = (yi, ■ ■ ■ , y n ), and the decoder DecA does the 
following. 

1. For eachj/j £ Y , compute c* = C\{tji — dj); 

2. Output X = DecA(T) = (ci + di, • • • , c n + d n ). 

In other words, the decoder shifts every yi by di, maps it to the nearest codeword 
in C\, and shifts it back by the same distance. 
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5.2 Security Analysis 

For each member of the sketch family with parameter A, the difference di be- 
tween Xi and Pi ranges from —6\ to 5\. Intuitively, log A\ bits are sufficient 
and necessary to describe the white noise in the quantized domain (recall that 
A\ = 2 8\ + 1 = 2["^1 + 1). Hence, we have 

Lemma 2. The quantization-based sketch scheme A,EncA,DecA) is 

(nlogA a) -secure in the quantized domain. 

Proof: Note that the size of each di generated in the second step of the encoder 
is log A\. Hence the total size of the sketch is nlogA\. Therefore, the entropy 
loss of the sketch P is at most nlog A\ by Equation (1). □ 

It is not difficult to see that the above bound is tight. For example, when each 
x is uniformly distributed in the quantized domain, the min-entropy of each x 
after quantization would be log|~y], and the average min-entropy of x given P 
would be at most log \C\\ = log|~y] — log A\. 

Now we consider the relative entropy loss. First of all, we observe that the 
proposed sketch family is well-formed according to Definition 5. 

Lemma 3. The quantization-based sketch family defined in Section 5.1 is well- 
formed. 

Proof: We consider any two members in the sketch family. The first is identified 
by Qai with step size Ai, and the second is identified by Qa 2 with step size A 2 . 

For any point x £ X, let x\ = Q\, (£')■ Recall that during encoding, a code- 
word is computed as c\ = C\ x (Sq), and the difference di = x\ — c.\ is put into 
the sketch. Similarly, let £2 = Q\ 2 (x), C 2 = C\ 2 (x 2 ) and d /2 = £2 — C 2 . 

Since Ai < 8 and A 2 < 6, it is easy to see that if d \ , d 2 and x\ is known, we 
can compute £2 deterministically. Similarly, given d\ , d -2 and X 2 , £1 can also be 
determined. Thus, we have 

Hoc(£i I (di,d 2 })=Hoo((^i,^2) | (di,d 2 )) = u oo (x 2 I <di,da». (6) 

The same arguments can be applied to all the points in X. Hence, let Pi = 
Enc Al (X) and P 2 = EncA 2 (X), we have 

Hoo (Xi | (Pi,P 2 )) = Hoc ((Xi,X 2 ) | (Pi,P 2 )) = Hoo (X 2 | (Pi,P 2 )) • (7) 

That is, the proposed sketch family is well-formed. □ 

By combining Theorem 1 and Lemma 3, and considering that for the member 
of the sketch family identified by Q\ 2 with step size Ai, the size of the sketch 
| Pi | = n(log A\ 1 ), we have the following lemma. 


Lemma 4. For the quantization-based sketch family defined in Section 5.1, given 
any member identified by Q\ 1 with step size Ai and encoder EncAj it holds that, for 



Secure Sketch for Biometric Templates 


109 


every random variable X £ U and any member identified by Q\ 2 with step size A 2 
and encoder Enc A2 , we have 

Hoo(Qa 2 P0 I Enc A2 (Q A2 (JC)))-H 00 (Q Al (X) | Enc Al (Q Al (W))) < n(logZ\ Al ). 

In other words, the relative entropy loss is at most n(log A \ 1 ) for Q Al . 

Not only the above is a worst case bound, we can show that the worst case can 
indeed happen. 

Lemma 5. The relative entropy loss in Lemma 4 is tight for sufficiently small 5. 

Proof: For any given Ai, we find a A 2 such that it is possible to find Z\ Al = 
(2[<5/Ai] + l) points W = [w 0 , ■ ■ ■ ,Wa Al -i} si^Sthat Q Al (iu*)-C Al (g Al («;i)) = 
i — [<5/Ai], and C\ 2 (wi) = c* for some codeword c, £ C\ 2 . In other words, we 
want to find points such that each of them would generate a different d* in the 
final sketch with Q Al , but would generate exactly the same number (i.e., 0) in 
the sketch when Q A2 is used. Note that when § is sufficiently small, there would 
be sufficiently many codewords in C \ 1 , and it is always possible to find such A 2 
(e.g., A 2 = Ar/2). 

When each x £ X is uniformly distributed over W, we can see that the sketch 
from the scheme identified by <2 Al would reveal all information about X, but in 
the case of Q A2 , the left-over entropy would be exactly log A\, . □ 

Therefore, combining lemmas 2, 4 and 5 we have 

Theorem 6. The quantization-based sketch family defined in Section 5. 1 is (L,R) - 
secure where for each member in the family identified by Q\ with step size X, where 
L(Q a ) = R(Q a ) = nlog A\. Furthermore, the bounds are tight. 

For example, if A = S, we would have L(Q A ) = R( Q A ) = n(log3). Note that 
although decreasing A might give a larger left-over entropy, this is not guaranteed. 
In fact, if we use a A' < A, by applying the above theorem on Qy, we can see 
that it may result in a smaller left-over entropy than using Q\ (e.g., consider 
the example in the proof of Lemma 5). 


5.3 A Special Case 

We further study a special case when each point x £ X is independently and 
uniformly distributed over [0, 1). We further assume that 1/S is an integer, and 
the family of schemes only consists of members with step size A such that 1/A is 
an integer that is a multiple of A\. This additional assumption is only for the 
convenience of the analysis, and would not make too much difference in practice. 

In this case, the entropy loss in the quantized domain for the member identified 
by Q\ with step size A would be exactly «(log A\), which shows that Lemma 2 
is tight. Moreover, it is interesting that the relative entropy loss in this case can 
be bounded by a constant. 
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Corollary 7. When each x £ X is independently and uniformly distributed, the 
quantization-based sketch family defined in Section 5.1 is (L,R) -secure where 
for each member in the family identified by Q\ with step size X, where L(Qa) = 
n(logA\), and R(Qa) = nlog(l + < nlog(3/2). 

Proof: The claim L(Qa) = n(log A\) follows directly from Lemma 2, so we 
only focus on R. Consider two members of the family identified by Q\, and 
Q\ 2 respectively. Without loss of generality, we assume Ai > A 2 . Consider any 
x £ X, let x\ = Q\ 1 (x), ci = C\ 1 (x 1 ). Similarly we define 22 = Q\ 2 (x) and C 2 = 
C\ 2 (x‘ 2 ). Hence, the min-entropy in the quantized domain would be log(l/Ai) 
and log(l/A 2 ) respectively. 

Clearly, ci and C 2 are also uniformly distributed over C\ x and C\ 2 respectively, 
and do not depend on d\ and d 2 . Hence, the left-over entropy for these two 
members would be log(|CAi |) = log Ai ^ 2i5 and log(|CA 2 1) = log X2 + 2 s respectively. 
Furthermore, recall that 0 < A 2 < Ai < 6, and the difference between these two 
quantities can be bounded as 

log(|C Aa |) - log(|C Al |) = log ^ | ^ < log(l + ^) < log 
Therefore, the relative entropy loss is bounded by nlog(3/2) as claimed. □ 

5.4 Remarks 

Choosing the step size A. We can view the step size A as a measure of the precision 
of X. Since the white noise in the continuous domain is fixed at S, when A becomes 
smaller, the corresponding white noise in the quantized domain would increase, 
and vice versa. That is intuitively why it is not possible to obtain much more left- 
over entropy by simply having X represented in a higher precision. In fact, it is 
not difficult to show that there are certain distributions of X such that a smaller 
step size would reveal more information. Furthermore, the scheme can be more 
efficient if we use a relatively larger step size, since we would need fewer bits to 
represent both X and the white noise in the quantized domain. If we use the same 
quantizer for both encoding and decoding, the simplest form of white noise in the 
quantized domain can be achieved when A = S, where a quantized x can be either 
left unchanged, or shifted by 1. In this case, from Theorem 6, we can get at most 
n log 3 additional bits if we choose other A' < 6. If X is uniformly distributed, the 
increment is at most nlog(3/2) by Corollary 7. 

When A >6, the form of white noise in the quantized domain would remain 
unchanged, but we may lose too much information about X due to the large 
quantization step, which may result in a much lower left-over entropy. There- 
fore, it is not desirable to have a step size larger than 6 in general. If different 
quantizers are used during encoding and decoding, with large step size (e.g., 26), 
it is possible to reduce the white noise in the quantized domain to a special 0-1 
noise, under which an x is either left unchanged or shifted to x+ 1, as observed 
in [4]. Nevertheless, this strategy may give lower left-over entropy. 
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Handling replacement noise. After the white noise has been corrected, an exist- 
ing scheme for set difference can be applied in the quantized domain to correct 
the replacement noise. There are known schemes that can achieve entropy loss 
of O (flog [ ^]) with small leading constant, such as those in [7,3]. Although the 
replacement noise is not considered for the face biometrics that we study in 
Section 6, it may need to be addressed for other biometric templates (e.g., iris 
patterns [9]). 

Extension to higher dimensions. It is straightforward to extend our scheme to 
higher dimensions, where each a; € A is a point in some d-dimensional space. For 
example, we can apply a scalar quantizer on each coordinate of every point, and 
let the distance of two points in d-dimensional space be measured by max-norm 
(i.e., the maximum distance in all dimensions). The entropy loss of the resulting 
scheme would be d times that in the current construction for 1-D points. If there 
is no replacement noise, we could also expand the n points in d-dimensional 
space into nd points in 1-D and apply the proposed scheme. 

The choice of the sketch family. It is important to note that even if a quantization- 
based sketch family is well-formed, it does not guarantee the existence of a “good” 
quantizer in that family. Nevertheless, it does allow us to evaluate any given mem- 
ber in the family with respect to the “optimal” member in the family. We consider 
it a challenging open problem to find a general algorithm to find the optimal quan- 
tizer among all possible quantizers, given certain practical constraints (e.g., the 
smallest possible quantization step and the distribution of X). 

6 A Concrete Construction for Face Biometrics 

Face images, especially those taken from a controlled environment, can be used 
as the basis of identity verification, Here we follow the techniques employed in 
[17] and make use of the singular value decomposition (SVD) of the face images 
for verification, which is a well-known strategy in the face recognition literature 
(such as [10,6]). Given a face image A of size M xN, we can always find matrices 
U, E and V such that A=U EV T , where E is an M x N matrix with min(M, N) 
non-zero elements ordered according to their significance. As noted in [17], some 
(say, n) most significant coefficients of E contain significant identity information 
of the individual. Typically n is chosen such that the sum of these n coefficients 
is more than, say, 98% of the sum of all the coefficients. 

In [17], the biometric template of an individual is obtained as follows. First, 
we take a few face images, compute the SVD, and obtain the minimum mm, 
and maximum maxi of the i-th significant coefficient, for 1 < i < n, where n 
is chosen to be 20. The mean value a,; = (rnax l + mini)/2 is then taken as 
a point in the template. When a new face image is presented for verification, 
its SVD is computed, and if for 1 < i < n, the i-th significant coefficient is 
sufficiently close to a*, it is considered as authenticated. The scheme in [17] is 
applied to face images from the Essex Faces94 Database [16], which contains 
152 faces with 20 images for each face (24bit color JPEG). Twelve images per 
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face are randomly chosen to compute the templates, and the rest 8 are used for 
testing. The experiments show that when the false accept rate is 0.005, the false 
reject rate is less than 0.045. 

To apply our sketch scheme, for each coefficient, we further compute the min- 
imum min and the maximum max of all the templates in the database (assuming 
that the number of templates is large). Hence, we can compute our biometric 
template lasa sequence of n points, where the i-th point x, = ■ We 

set the noise level Si = for some constant k > 1. In this way, each 

point Xi will be between 0 and 1 so that our scheme can be applied. There is a 
difference, however, that we have a different Si for each point, which we have to 
put as part of the sketch. Nevertheless, our analysis on the entropy loss can be 
easily adapted to this case, and the difference here will not affect the security of 
the scheme. Here we choose A i = Si for all 1 < i < n. 

In this way, the sketch produced by our proposed scheme, would be the tuple 

P = (min, max, Ai, • • ■ , A n , x\ — Cx^fxf), • • ■ , x n — C\ n (x n )) 

where x* = Q\, (x t ) for 1 < i < n. By applying the arguments in Theorem 6 and 
Corollary 7 to each point in A, we have 

Corollary 8. The entropy loss in the quantized domain for the aforementioned 
scheme is at most nlog3. Let m be the left-over entropy. When A i < Si for any 
i. 1 < i < n, let the left-over entropy be m' . We have m' — m < nlog3. If all 
points are uniformly distributed, we have m' — m< nlog(3/2). 

When n = 20, the above bounds are approximately 31.7 and 11.7 respectively. 
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Abstract. The complex multiplication (CM) method for genus 2 is cur- 
rently the most efficient way of generating genus 2 hyperelliptic curves 
defined over large prime fields and suitable for cryptography. Since low 
class number might be seen as a potential threat, it is of interest to push 
the method as far as possible. We have thus designed a new algorithm 
for the construction of CM invariants of genus 2 curves, using 2-adic 
lifting of an input curve over a small finite field. This provides a nu- 
merically stable alternative to the complex analytic method in the first 
phase of the CM method for genus 2. As an example we compute an ir- 
reducible factor of the Igusa class polynomial system for the quartic CM 
field Q(i\/75 + 12\/l7), whose class number is 50. We also introduce a 
new representation to describe the CM curves: a set of polynomials in 
(ji,j‘ 2 -jz) which vanish on the precise set of triples which are the Igusa 
invariants of curves whose Jacobians have CM by a prescribed field. The 
new representation provides a speedup in the second phase, which uses 
Mestre’s algorithm to construct a genus 2 Jacobian of prime order over 
a large prime field for use in cryptography. 


1 Introduction 

In the late 1980’s, Koblitz proposed the use of hyperelliptic curves in cryptog- 
raphy. Since then, significant progress has been made in turning this idea into 
practice, and currently genus two cryptosystems present the same security ben- 
efits as elliptic curves, together with potential benefits in terms of performance 
and new protocols [31,2,17,22]. 

The efficient generation of genus two groups of prime or nearly prime order 
over finite fields of large characteristic, however, remains an important issue. 
Random curve generation in characteristic 2 is amenable to efficient versions of 
Kedlaya’s algorithm or Mestre’s AGM algorithm. In contrast, over large prime 
fields the latest records for point counting (see [18]) still require about a week’s 
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computation time for each curve. In this case, the complex multiplication method 
currently provides the only efficient approach to cryptographic curve construc- 
tion. For genus one, several authors have introduced improvements to the CM 
method using p-adic lifting [13,7,6,24]. Our article generalizes such work to the 
case of genus two. Furthermore, in the past few years, the elliptic CM method has 
gained new interest as the key tool for building curves with a special structure, 
in particular curves with a computable bilinear map [29]. Similar constructions 
in genus two will also require explicit CM methods. 

The first phase of the CM method constructs the Igusa class polynomials for 
CM genus two curves, which determine the triples (ii,j2,j3) °f invariants of 
curves whose Jacobians have prescribed endomorphism ring. These polynomials 
are determined by complex analytic techniques, or, in this work, by p-adic ana- 
lytic construction. After solving for the roots of these polynomials over a chosen 
finite field of large characteristic, the algorithm of Mestre [28] allows one to con- 
struct a model of the curve for which the group order of its Jacobian has been 
previously determined to be prime or nearly prime. In this article, we extend 
the computational limit for Igusa class polynomials in genus two, addressing 
concerns that a CM field of low class number might give rise to weak curves in 
a cryptographic protocol. 

Our first contribution is to use a 2-adic lifting method in place of the classical 
floating point complex approach. We start with a binary curve over a field small 
enough so that point counting is possible using naive methods. We determine not 
only the number of points but also the endomorphism ring of the Jacobian and 
therefore the CM field K associated to it. By computing the canonical 2-adic lift 
with sufficiently high precision we are able to get the class polynomials which 
we recognize as polynomials over the rationals. This bypasses the costly step of 
evaluating theta functions. We also introduce a simple representation of the ideal 
of CM invariants in terms of univariate polynomials. Prior authors focused on 
finding the degree h* K minimal polynomials H%(X), and H%(X) of the 

invariants ji, j2, and j.3. However in the second phase of the CM method, this re- 
quires a combinatorial match of h* K s roots to find one of h* K valid triples, when 
constructing a CM curve. For those small values of h* K previously attainable, 
this was not particularly onerous, but with our 2-adic method, our largest ex- 
amples computed have reached h* K = 100, for which this combinatorial matching 
problem is undesirable. 

Our Magma and C implementation of the 2-adic CM method allow us to com- 
pute a degree 50 irreducible factor of Igusa class polynomials for the quartic CM 
field K = Q(i-\/75 + 12\/l7). The class number of K is 50 and the Igusa class 
polynomials for K have degree h* K = 100. 

The paper is organized as follows. In section 2 we introduce the mathematical 
objects we need to explain the 2-adic CM method and the generation of hyper- 
elliptic curves suitable for cryptography. In section 3 we deal with Igusa class 
polynomials, our new representation of the ideal of invariants. In section 4 we 
give details about the 2-adic CM method. In section 5 we analyze its complexity 
and compare it with previous methods [35,40,9,16]. 
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2 Mathematical Background 

In this section, we briefly present the mathematical tools that we need. The first 
part deals with complex multiplication theory. We give theoretical results applied 
to our genus two case. Then we recall Lubin-Serre-Tate theorem for genus two 
and finally we deal with the reduction of the variety of j-invariants. 


2.1 Complex Multiplication Theory 

We begin with some definitions and results from the theory of complex multi- 
plication (see [33] for further details). The central notion is that of a CM field, 
defined to be a totally imaginary quadratic extension K of a totally real number 
field K 0 . 

For the study of genus two curves we will be interested in quartic CM fields 
K. We define a type of such a field as a pair of non-conjugate embeddings $ = 
(ff) of K in C. If I is an ideal in the ring of integers Ok of K, we consider 
3>(I) = {(&(<*)' (a)) C C 2 , a e /}. The set <£(/) is a lattice in C 2 and C 2 /<£(/) 
is an abelian variety A such that K c End (A) 0 Q. We furthermore make the 
following restrictions: 

1. We assume that K is cyclic or non-Galois. The abelian variety A (for which 
End (A) 0 Q = K) is then absolutely simple. This is a good condition for 
cryptographic applications since we want #A( F g ) to be almost prime. 

2. We assume that hx 0 = 1, which implies that the abelian surface A has a 
principal polarization. As A is absolutely simple, it follows there exists a 
genus two curve 6 such that A = Jac(C). 

3. We assume moreover that End(Jac(C)) = Ok- The above conditions imply 
End(Jac(C)) C Ok, but for sake of simplicity of both theory and computa- 
tions, we restrict to the case where this inclusion is an equality. This requires 
us to address the issue of testing effectively this hypothesis for a given curve 
C, but we will not treat these algorithms in this article (see however [16]). 

Definition 1. Let 0 be a hyperelliptic curve of genus two and K a quartic CM 
field. We say that C has complex multiplication by Ok if the endomorphism ring 
of the Jacobian of the curve is isomorphic to the ring of integers Ok of K. 

Example 1. As an example we consider K = Q(i-\/2 + \/2). The real subfield of 
K is Q(\/2) since (i-\/ 2 + \/2) 2 + 2 = — \/2. Then there exists a curve defined 
over Q with model y 2 = —x 5 + 3a; 4 + 2a; 3 — 6a; 2 — 3a; + 1, whose Jacobian has 
endomorphism ring Ok- Further details on this example can be found in [38] 
or [35]. 

We first recall basic notions of CM theory in genus one, for which we re- 
fer to [3]. We begin with a positive squarefree integer D, and compute the 
class group of K = Q (i\/D), which we denote by CIk- For complex numbers 
(n)ie{i,h K ], representing the classes in CIk, we associate an elliptic curve with 
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period lattice Z + t,Z. Finally we compute the j-invariant ji = j(rj) using r)- 
functions and recover the classical Hilbert class polynomial from the definition 
H(X) = nji(X — ji) € Z[X], as a monic polynomial over the integers. 

The analogous theory for genus two presents several additional technical chal- 
lenges. The first question is to determine how many isomorphism classes of CM 
curves are associated to a CM order Ox- We denote this number by h* K . In genus 
one, this number equals the class number hx, but in higher genus there is no 
longer a one-to-one correspondence between the ideal classes and the principally 
polarized abelian surfaces with endomorphism ring Ok, each of which gives rise 
to an isomorphism class of CM curves. However, for a quartic CM field K with 
real subfield of class number one, we can make the following statement. 

Theorem 1. Let K be a quartic CM field with real quadratic subfield Kq of 
class number 1. If K is cyclic over Q then there are hx isomorphism classes 
and if K is not normal over Q then there are 2 hx isomorphism classes with hx 
classes associated to each CM type. 

Remark 1. The Cohen-Lenstra heuristics [11] predict that the class number of 
the real quadratic field Kq has class number 1 with density greater than 3 /4 so 
this is expected to apply to this proportion of all quartic CM fields. 

The above theorem establishes the degree of the Igusa class polynomials, which 
vanish on the triples of the CM Igusa invariants (Ji,j2,js)- Once their degree is 
known, we can apply a construction as in the genus 1 CM method for the classi- 
cal complex CM method. Beginning from a quartic CM field K, we compute the 
class group of K over Q, and find a representative of each class. Here the repre- 
sentatives are 2x2 matrices called period matrices which can be computed from 
a set of representatives of the class group of K and a fundamental unit of K 0 . 
We refer to [40] for the exact construction of these period matrices ( f2i)i<i<h* K ■ 
Evaluating theta functions at the .Q, allows to recover the j-invariants (ji\ 
of the CM curves and joining the j-invariants together gives us the 
Igusa class polynomials described in [35] or in [40] as 

h* K h* K h* K 

Hi = n(X - j[% H 2 = J\(X - j«), Hs = Y[(X - Jff ). 

i—1 i=l i-l 

For the purposes of 2-adic lifting we may use normalized invariants ji, j 2 , and 
j 3 , defined in terms of the Igusa-Clebsch invariants A, B, C, D (denoted A', B > , 
C', D ’ in Mestre [28]), by j 1 = A 5 /8D,j 2 = 2A 3 B/D,j 3 = 8A 2 C/D. 


2.2 The Lubin-Serre-Tate Theorem for Genus Two 

In 1964, Lubin, Serre and Tate [25] proved the existence of the canonical lift of an 
ordinary abelian variety and gave a way of computing this lift for elliptic curves, 
extending a result of Deuring [14]. Denote by Q p the field of p-adic numbers, and 
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by Qp,i the unique unramified extension of degree d, and by Z p or Z p d their re- 
spective rings of integers (see e.g. [4] or [21] for background). The fundamental 
property of the canonical lift A} fL p d of an ordinary abelian variety A/¥ p d is that 
End(Al) = End(A). Moreover, A 1 is actually defined over Q. Thus if we can find 
a curve over F p j. whose Jacobian is ordinary and has complex multiplication by 
the ring of integers of a quartic CM field K, we theoretically obtain a curve over 
Q with complex multiplication by 0 k ■ In the article, p is fixed to 2 and the CM- 
curves over F 2 <j whose Jacobian is ordinary are not rare and can be found easily. 

To perform this method explicitly, we require a constructive formulation of 
the existence theorem for the canonical lift. In genus 1, this is the following 
theorem (see [39]). 

Theorem 2. Let p be a prime number and d an integer greater than 2. Let E 
be an ordinary elliptic curve over F p d with j-invariant j(E) e F p d\F p 2 . Denote 
by a the Frobenius automorphism of Z p d and by <L P (X,Y) the p-th modular 
polynomial. Then the system of equations 

<L P {X, X a ) = 0 and X = j(E) mod p, 

has a unique solution J € Z p d, which is the j-invariant of the canonical lift E 
of E (defined up to isomorphism). 

Generalization to genus two is easier if one speaks about isogeny instead of 
modular equations: 

Theorem 3. Let G be an ordinary hyperelliptic curve of genus two over F p d. 
Then there exists a hyperelliptic curve G of genus two defined over Q p d that is 
a canonical lift of G (in the sense that the endomorphism ring of the Jacobian 
is preserved) and furthermore there exists a ( p,p) -isogeny between Jac(C) and 
Jac(C°') that reduces to the Frobenius map from Jac(C) to its conjugate. 

In the case where p = 2, the Richelot isogeny [5] provides explicit formulae that 
allow us to translate this theorem into a set of equations that must be satisfied by 
the defining equation of the canonical lift. A Newton-like process due to Harley 
is then used to solve it (more details are given in Section 4.1). 

General results on the convergence of the Newton process for the AGM is 
given by Carls [8] for abstract abelian varieties. In our case, we have explicit 
equations for the Richelot correspondences of curves, for which this theoretical 
machinery is not required and the convergence can be checked using classical 
criteria (valuation of the Jacobian matrix of the system of equations). 

2.3 Reduction of the Moduli Subvariety 

This section is based on the work of Goren [19] describing the reduction of an 
abelian surface. 

Theorem 4 ([19]). Let K be a cyclic quartic CM field and A an abelian variety 
having CM by Ok the ring of integers of K. Let p be a prime of Q, pi = p fl Ok 
and (p) = pi flZ. Assume that p is unramified in K. Then the reduction Ap of 
A mod p is determined by the decomposition of p in Ok as follows: 
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(i) if p = then Ap is ordinary and simple; 

(ii) if p = then Ap is isomorphic to the product of two supersingular 

elliptic curves; 

(Hi) if p = fPi then Ap is isogenous but not isomorphic to a product of two 
supersingular elliptic curves. 

For a non-normal quartic CM field, which is the generic case, an analogous 
theorem holds: depending on group theoretic considerations in the Galois group 
of the normal closure of K, one can decide whether the reduction of the Jacobian 
of a CM curve is ordinary, intermediate, or supersingular, and whether or not it 
is simple. We omit the details here and refer instead to Goren [19] for a precise 
statement. 

These results are used at two places. First, they are required in the final curve 
construction step, to determine a prime of ordinary reduction, a necessary con- 
dition for cryptographic use. From the primes of ordinary reduction, we choose 
a prime p such that a solution to the Igusa class polynomials over F p gives a 
group order which is prime. Second, for the 2-adic method to work, the reduction 
modulo 2 must be ordinary, otherwise the canonical lift is not well-defined and 
the lifting algorithm does not apply. Given a CM field K, the theorem describes 
when there exists an ordinary curve defined over a finite field F 2 rf with CM by 
Ok- As the input to our algorithm is an ordinary curve, rather than the CM 
field K, this theorem describes the condition at 2 on those CM fields which can 
be treated by our algorithm. 

3 New Representation of the CM Variety 

Before presenting our 2-adic CM method, we explain our modification to the rep- 
resentation of the ideal describing the CM invariants. In the classical CM method, 
Spallek [35] chose to compute three polynomials Hi, H 2 and H 3 , defined as 

h K h K h K 

Hi = II(V - H 2 = - ;#) and H 3 = j\(X - jf 3 ). 

Subsequently Weng [40] formalized the classical CM method for genus two in 
terms of the same polynomials. However these polynomials determine an ideal 
(Hi(ji),H 2 (j 2 ),H 2 (j 3 )) C Q[ji,j 2 -h], of degree h* K 3 , i.e. defining h* K 3 points 
J 2 * 2 ^> °f which only the h* K solutions (j{ l \ j 2 \ j 3 ^) determine valid 
CM curves. 

In order to compute the equation of a CM curve, we need to test all h* K 3 
candidate solutions to this system of equations to find one of the h* K which is 
known to have the correct endomorphism ring. For each solution we must apply 
Mestre’s algorithm [28] to find the corresponding curve, then to test a random 
point on the Jacobian to determine if the group of rational points has the correct 
order. This overhead is unnecessary since with a few additional relations among 
the (Ji,j 2 , js), we determine a complete set of relations for the CM invariants of 
the desired CM order. 



120 P. Gaudry et al. 


The solution is to find some compact representation for the full ideal of class 
invariants. Beginning with the minimal polynomial of ji, H\ (X) = ns(*- 
j{ ! \) G Q[X], we then use Lagrange interpolation to compute 

At) 

c k (x) = Y.& II .«> m e qm. for k = 2 > 3 - 

*= i <=i Ji _ Ji 

This solves the problem of having an incomplete specification for the ideal of in- 
variants, since j k = G k (j 1 ) are uniquely determined by any root j\ of H\(X). To 
determine a CM curve over F p , we solve for a root Ji of H\ (X) mod p which de- 
termines J 2 = G 2 (ji) and J 3 = G 3 ( Ji ) , and use Mestre’s algorithm to determine 
a CM curve from the triple 

Modified Lagrange interpolation. The above construction provides an exact de- 
scription of the CM invariants, but we observe empirically that the coefficient 
sizes of G k , in comparison with those for H k , are larger by a factor of three to 
four. However, in the formulae for G k , we can pull out the factor = 

— jfV 1 - Therefore instead of using G k we consider the polynomials 


h* K h*K 

H k {X) = f[(X - jf) e Q[X] for k = 2,3, 


which recover the lost factor, and have coefficients of the same order of magnitude 
as H k . The defining relations for our CM invariants can now be expressed as 

LGCn) = 0 , H[(j 1 )j 2 = h 2 (.n), H[(j i>ia = H z {h)- 

In order to explain the decrease in the size of the polynomial coefficients, 
we make some assumptions to deal with a notion of size for the j-invariants 
we are manipulating. Let L be a number field containing all Galois conjugates 
of the j-invariants. We assume that there exists a notion of a logarithmic 
height function h : L — > R>o, measuring the size of elements, which satisfies the 
properties: h(ab ) = h(a)+h(b), and h(a+b) < max(/i(a), h(b)), for general a and 
b. We extend h to a height function on L[X\ by: MY17=o a,X l ) = ^"=0 H a n)- 
We also assume that all the j-invariants are random elements of bounded height 
S. We can then estimate the relative heights of our polynomials H k , G k , and 
H k . We evaluate the size of H k to be 


h(H k ) <Y iS = 


h*K(h*K + 1) c 


since the coefficients of H k are symmetric polynomials in the j k ^ . A similar calcu- 
lation for G k and H k gives h(G k ) < 2 h* K (h* K — 1)5, and h(H k ) < h* K (h* K — 1)5. 
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Under the assumption that the j-invariants behave as random elements, we ex- 
pect equality to hold for each bound. This analysis, although heuristic, agrees 
with the empirical results of the algorithm. 

Remark 2. We emphasize the fact that this new representation applies both to 
the classical CM construction and to our new p-adic method that we present in 
the next section. 

4 The 2-Adic CM Method 

In this section we describe our algorithm for computing the Igusa class polyno- 
mials Hi, H' 2 , H 3 corresponding to a CM order. In the classical approach one 
starts from a CM field and computes the Igusa class polynomials. In our ap- 
proach, the input is a genus 2 curve defined over a small finite field F 2 d, for some 
small d, and we reconstruct the class polynomials associated to its canonical 
lift. The input curves for this construction are defined over a tiny field of no 
cryptographic interest, but via their canonical lift we find their class invariants 
over Q, which can then be reduced modulo p to produce curves of cryptographic 
application over some large prime field F p . We note that the class polynomials 
we find may determine a proper irreducible factor of the CM class invariants, in 
the case the invariants fall into distinct Galois orbits. However, for their appli- 
cation to cryptography this only aids in the rational reconstruction phase of our 
algorithm. 

The algorithm proceeds as follows. Since d is small, one can easily compute 
all the data related to the input curve C, in particular the endomorphism ring 
0 of its Jacobian, which we assume to be the maximal order of a CM field K. 
The canonical lift of 6 is then computed to a high precision, so that we can get 
a good 2-adic approximation of its Igusa invariants. Theorem 1 gives a way to 
predict the degree h* K of the class polynomials. From this information, if the 
precision is sufficient, there is a unique possibility left for the polynomials Hi, 
H 2 , H 3 . These can be computed by running the LLL algorithm on a matrix built 
from powers of the invariants of the canonical lift. Algorithm 1 gives a summary 
of the algorithm, and in the next two subsections we discuss the details. 

4.1 Computing the Canonical Lift 

Canonical lifts were introduced in cryptography for the purpose of point counting 
by Satoh [32] for elliptic curves. After many improvements by several people, 
this ended up in a very fast method that runs in a time which is almost-linear 
in the required precision. A precise description and comparison of the various 
methods in the elliptic case can be found in [39] to which we refer for additional 
reading. Two genus 2 variants have been introduced by Mestre [27,26], based 
on the Richelot isogeny or on the Borchardt mean. The latter variant has been 
developed in detail by Lercier and Lubicz [23] . 
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Algorithm 1 The 2-adic CM method 

Input : An ordinary genus 2 curve C defined over W 2 d having CM by an order 0; 
Output : (-Hi,itr, H 3 : i XX ) which determine an irreducible factor of the class in- 

variants {Hi, Hi, Hz) of 0. 

1: Compute the ^-invariants of 6 and choose an arbitrary lift to Z 2 d : 

2: Compute the canonical lifts (ji , ji ,j 3 ) 6 (Z 2 <j ) 3 , i.e. the J-invariants of the canonical 

nft of e ; 

3: Determine the degree h* K of {Hi, Hi, Hz)', 

4: Apply the LLL algorithm with input h* K and powers of (ji,ji, jz ) ; 

5: Retrieve the result of LLL, that is the polynomials H\ t \ xx , H% xxx and Hz,\xc verifying 

Hi Mx {ji) = 0, H[ Mx {ji) ■ ji = H 2Mt {ji) and H' hixx {ji) ■ j 3 = H 3 , ixx {ji)', 

6: Return the triple H 2tixx , H 3 ,i xx ^j ■ 


For the present work, we used the former approach, based on Richelot isoge- 
nies, together with the asymptotically fast lifting algorithm of Harley. Since this 
is not well described in the literature, we say a few words about it. 

The main point is that Richelot isogeny as described in [5] gives relations 
between the defining equations of genus 2 curves whose Jacobian are (2,2)- 
isogenous. We take equations in the Rosenhain form: y 2 = x(x — l){x — Ao)(a: — 
Ai)(a; — Aoo). Putting A = (Ao, Ai, A^), we can realize the relations coming 
from Richelot isogeny as a system of polynomial maps $ — (ih- & 2 , ^3) from 
Q 2d = ^2 d x ^ 2 d to ^2^’ SUC ^ that two curves of Rosenhain invariants A and 
A! have Jacobians related by a (2, 2)-isogeny if and only if ( I>(A, A’) = 0. Hence, 
according to Theorem 3, the Rosenhain invariants A of the canonical lift of 
the curve C we are interested in must verify ${A, A a ) = 0. Before giving the 
explicit formulae for ( I>, we sketch how Harley’s algorithm can be adapted to the 
multivariate setting. 

Assume we have an approximation Ao € Q;),, to the Rosenhain invariants A 
of the canonical lift, correct to precision 2 fe . Let Ai e be such that A = 
Ao + 2 k Ai. Then A satisfies the equation l P(A, A 17 ) = 0, which rewrites as 

0 = $(A 0 + 2 k A 1 ,Ao + 2 k Al) = <2>(A 0 , A£) + 2 k d$(A 0 , A a 0 ) mod 2 2k , 

from which A\ can be deduced. Indeed, since <5(A 0 , Aq) = 0 mod 2 k , the equation 
in Ai can be restated as Af + AAi + B = 0, where A is a 3 x 3 matrix over 
Z 2 d, and B and Ai are vectors in Z 3 d . Another level of recursive Newton-lifting 
is used for solving this so-called Artin-Schreier equation. 

In this brief description, we have freely assumed that computing a is a cheap 
operation, which is unfortunately not true if one takes an arbitrary defining 
polynomial f(x) for the extension field Q 2 d = Q2 [x]/(f (z))- The trick is to 
choose the polynomial f{x) such that / divides x 2 —x, which in turn implies that 
t a =t 2 , where t is the defining element of the extension field. The computation 
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of such an / is done, again, by a Newton lifting algorithm based on the equation 
f(x 2 ) = f(x)f(—x), which is easily seen to be satisfied by the polynomial we are 
looking for. We refer to [39] for a more precise description. 

Let us now describe the polynomial maps $ given by the Richelot’s isogeny. 
For clarity, we give them in an implicit form that introduces new intermediate 
variables. Let Ao, Ai and Aqo be the starting Rosenhain invariants. The images 
Aq, Af and A^ of Ao, Ai and Aoo by the second power Frobenius automorphism 
are given by the following formulae: 

A<7 _ (ui-u 00 )(wo-uo) _ (ui-UqoXwi-uq) _ (ui-u oo )(u oo -u 0 ) 

0 (ui-v 0 )(w 0 -v oo )’ 1 (u 1 -v 0 )(w 1 -v oo ) °° {u 1 -v 0 )(u oo -v oo y 

where (ui, Uqo), (uo, Uqo) and (vjq , 'UJ \ ) are the respective roots of the polynomials 

U 2 - 2X 00 U + Aoo(l + Ai) - Ai, 

y 2 -2A oo y + A 0 A oo , and 

(A 0 - 1 - Ai)W 2 + 2AiW - AoAi. 

Remark 3. We need to pay attention to the valuations of our Rosenhain invari- 
ants. Assuming that we begin with Ao = 0 mod 4, Ai = 1 mod 4 and val(Aoo) = 
—2, we choose the labeling of the roots of our quadratic polynomials such that 
vo , wo = 0 mod 2, m, w\ = 1 mod 2, and val(«be), val(uoo) < 0, from which 
Aq = 0 mod 4, Af = 1 mod 4 and val(AJ.) = —2 follows. 

4.2 Recognizing Class Polynomials in Q[X] 

In this section we explain how we use the LLL algorithm to recover the minimal 
polynomials over Z of the canonical lifted j-invariants. Let A = (bi,..., b rn ) be a 
lattice a nd let de t(A) be its determinant. Minkowski’s inequality gives the upper 
bound y/m/2ne det (L) 1 ! m , for the norm of the shortest lattice vector, and in a 
random lattice, one expects a minimal length vector to be close to this norm. The 
LLL algorithm outputs a basis of short vectors, and if we construct A to have a 
known vector v € A of norm much smaller than this bound, then, heuristically, it 
will be the shortest vector in A. 

Let Z 2 d be an extension of Z 2 of degree d with Z 2 -basis 1, w \, . . . , Wd- 1 - Let 
a £ Z 2 d generate Z 2 <j, and a be an approximation of a modulo a high power 
of 2, say a = a mod 2 N . We assume that we know the degree s of its minimal 
polynomial f(x) £ Z[x], i.e. f(x) = a s x s + . . . + ao where the (a*) C Z are 
unknown. The degree s of the minimal polynomial is the degree of an irreducible 
factor of Igusa class polynomials, whose degree is h* K . In order to determine the 
(ai), we determine a basis of the left kernel in Z s+d+1 of the matrix 


where A is the (s + 1) x d matrix: 





defined by 


■l)Wd-l- 
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In order to compute the basis of the left kernel, we apply the LLL algorithm 
in the same way as described in [10]. This kernel is a lattice A, in which the 
coefficients of the minimal polynomial of a are part of a short vector. Indeed, if 
oo, • • • ,a s are integers with |aj| <C 2 N such that a s a s + . . . + ao = 0 mod 2 N , then 
(oo, . . . , a s , e \, . . . , Ed) will be a short vector in A, for appropriate integers (e*). 
Any other solution that is not proportional to the (a*) will differ by an element of 
A 0 +2 N Z s+d+1 , where /1 0 is generated by the Cda d+, + . . .+c 0 cd = 0 mod 2 N , 1 < 
i < s — d, coming from the minimal polynomial g(x') = CdX d + ■ ■ ■ + Co of a in 
% 2 [x] having arbitrary coefficients in Z 2 . If the precision N is sufficiently high, 
we expect the unique solution (ao, . . . ,a s ) to appear as the shortest vector in 
the LLL-reduced lattice basis. 

We remark that we can easily compute the image of (ji, J 2 , J 3 ) by the Frobe- 
nius a and therefore we have access to the powers of (ji , and 
for i £ [1, cfj. Therefore we can use this information as input of our LLL algo- 
rithm. It implies a more complicated recognition phase where we have to use 
the subresultant algorithm to recognize our minimal polynomials. Moreover an 
explosion of the coefficient size in the course of the algorithm leads us to use 
modular arithmetic and the Chinese remainder theorem for our computations. 

5 Complexity and Comparison with Other Methods 

5.1 Complexity of the 2-Adic CM Method 

The two costly steps of the 2-adic CM method are the computation of the canon- 
ical lift and the reconstruction of the polynomials using LLL. Those two steps 
highly depend on the precision k at which we have to compute the canonical 
lift in order to recover the full polynomials. This precision k depends itself on 
the sizes of the polynomial Hi, H 2 , H 3 , for which no bound (that would depend 
on the class number of K) is known. Hence we shall keep k in our formulae, 
although this is not a parameter under control. 

By using advanced algorithms coming from point counting, the canonical lift 
computation takes a time which is essentially linear in the precision k. More 
precisely it has a complexity 0(M(dk ) log(fcj) where M(dk) is the time for mul- 
tiplying integers with dk bits, that is 0(dk ) up to logarithmic factors. 

The complexity of the LLL step involves the further parameter h* K , which is 
the degree of the polynomials we are trying to reconstruct. Using the classical 
LLL algorithm, we end up with a complexity of 0((h* K +d) G k 3 ). The L 2 variant of 
Nguyen and Stehle [30] has a better general complexity of 0((h* K + d) 5 (h* K + d + 
k)k), and in our case the structure of the lattice gives us an improved complexity 
of 0((h* K + d) 4 (h* K + d + k)k). 

Now we will analyze what we could expect from the PSLQ algorithm. In [1], 
given an input of h* K + d complex numbers whose integer relation is bounded by 
2 k , the PSLQ algorithm is claimed to have a number of iterations in 0((h* K + 
d) 3 +(h* K +d) 2 k). Each iteration consists of four steps. Both for the complexity in 
the dimension and in the precision the bottleneck step is the third step, Hermite’s 
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reduction and matrix multiplication. Therefore the complexity of one iteration 
is 0((h* K + d) 3 k). The total complexity of PSLQ seems to be 0((h* K + d) 6 k + 
(h* K + d)k 2 ) thus we do not expect any improvement from using a 2-adic version 
of PSLQ. 

5.2 Comparison with Other Methods 

The comparison with the classical CM method [35,40] is only valid for inputs at 
which their outputs coincide, since the inputs to each algorithm is different. In 
the 2-adic method one treats only CM fields where the ideal (2) has a special 
structure, and moreover the input is not the field but a hyperelliptic curve over 
a small finite field. In the classical CM method one starts directly from a CM 
field, with the requirement that the class number of the real subfield is 1. The 
main advantage of the 2-adic method compared to the classical method is that 
the complex floating point evaluation of theta constants at the period matrices 
(which is the bottleneck in the classical method) is replaced by a p-adic canonical 
lifting procedure for which we have precise control over precision and precision 
loss (there is none) . Furthermore, the time-complexity of the evaluation of theta 
constants is quadratic in the required precision, whereas the canonical lift is 
essentially linear in the precision. On the other hand, the drawback of the 2-adic 
CM method is that the reconstruction step is much more expensive than in the 
classical case, since the step of building a polynomial from its roots is replaced 
by a call to the LLL algorithm. In this later case, the complexity becomes again 
quadratic in the precision. In other words, by changing the method, we have 
moved the bottleneck of the approach from the first step to the second step. 

We can also compare to the CRT approach [9,16]. In that case, to be able to 
build a class polynomial whose coefficients have k bits, one needs to use 0(k ) 
small finite fields F Pi , where Pi is 0{k). Finding the appropriate curves implies 
O(pf ) steps for each pi, since we essentially have to enumerate all isomorphism 
classes over the field F Pi . Hence the complexity is more than quadratic in the 
precision, so that the CRT method is not competitive with the other methods 
in terms of required precision. This ignores the endomorphism ring computation 
which is exponential in pi in the worst case (but might be controlled by a more 
selective sieving for CRT primes). 

5.3 Experiments 

All of the experiments we carried out were written using Magma [12] and C rou- 
tines. The 2-adic arithmetic is taken from an experimental gmp-style library 
called Mploc which was developed by E. Thome [37]. It currently contains far 
more than the 2-adic arithmetic, including efficient arithmetic in Q p , Q p [W], and 
extensions of Q p . We use NTL [34] library for the floating-point LLL routine, as 
at the time we developed our program, Stehle’s LLL C routines were not avail- 
able [36]. All the experiments were conducted on a 2.4 GHz Athlon 64. On such 
a computer, computing irreducible factors of Igusa class polynomials of degree 
less than twenty is a question of minutes. 
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Example. Let C be the curve of equation y 2 + h(x)y + /( x) = 0 over F32 = 
F 2 [f]/(f 5 + f 2 + l), with f(x) = x 5 + t 20 x 3 + t 17 x 2 + t 19 x and h(x) = x 2 + t 9 x. Th e 
curve is ordinary and has CM by the maximal order of K = Q('< v75 + 12^/l7). 
The field K is non-normal and its class number is 50; so we have h* K = 100 
isomorphism classes of principally polarized abelian varieties. 

Looking for a minimal polynomial of the lifted value of ji, the LLL algorithm 
produced a plausible answer of degree 50. A more subtle analysis of the Galois 
theory in fact predicts that the class polynomial of degree 100 is reducible over 
the rationals, splitting in two factors of degree 50. Using our method, we produce 
one of these two factors Hi(X), with the corresponding polynomials H 2 (X) and 
H 3 (X). The leading coefficient of Hi is 3 50 11 156 1 7 60 23 72 41 24 73 12 83 12 18 1 48 691 12 , 
consistent with the theory of Goren-Lauter [20], and reduction at a large prime 
gave rise to a Jacobian whose group of rational points agreed with the expected 
order for this CM field. 

For this example, we used a 2-adic precision of 65000 bits, and the running 
time to lift the curve and compute the invariants was 20 seconds. The subsequent 
lattice reductions took about one day. This confirms that the bottleneck is in 
the second step, as predicted by the complexity estimates, and suggests that an 
improved strategy would be to lift additional j-invariants to reduce the size of 
the lattice in the reduction phase. 

6 Conclusion and Perspectives 

This work presents a new p-adic method for building Igusa class polynomials 
for genus two curves, that can be used to efficiently produce CM curves suitable 
for cryptography. Our method makes use of p-adic lifting techniques borrowed 
from point counting algorithms. The algorithm performs well in practice and has 
allowed us to treat much larger class numbers than previously reported in the 
literature. 

In order to deal with such large degree class polynomials, we were led to 
introduce a new representation for the ideal of CM points, so that the final step 
of the CM method — namely reducing the polynomials modulo an appropriate 
prime p and constructing the corresponding curve equation — no longer requires 
a combinatorial search for one valid tuple of invariants for each h* K 3 tuple when 
using class polynomials of degree h* K . 

Our work is based on curves of characteristic 2, which places a restriction on 
which CM fields we can treat. This is analogous to the condition on discriminants 
treatable by the CM construction in genus 1 using reduced class polynomials in 
terms of Weber functions. Extending this algorithm to other small characteris- 
tics p would impose an independent condition so that more CM fields could be 
treated. Such algorithms are the subject of ongoing investigation, motivated by 
this research. 

As the discussion of complexity issues indicates, the different methods for 
building Igusa class polynomials (complex analytic, p-adic analytic, CRT) all 
have advantages and limitations. Combining them in order to take advantage of 
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the best of each method is something that should be explored. For example, an 
algebraic formula for the exact leading coefficient of the Igusa class polynomi- 
als (see [20]) would have benefit to a greater or lesser extent in each of these 
methods. We note that the bottleneck of the classical CM method is the evalua- 
tion of theta constants. Recently, Dupont [15] developed new algorithms for this 
task, yielding a huge performance improvement for the classical CM method. 
Further investigation of the limiting steps for the classical and p-adic methods 
will determine in the end which algorithm applies most effectively to a given 
problem. 
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A Cryptographic CM Curve Generation on One Example 

We start with the curve 6 of equation y 2 + h(x)y+ f(x) = 0 over F s = F 2 [t]/(t 3 + 
t+1), with f(x) = x 5 +t 6 x 3 +t 5 x 2 +t 3 x and h(x) = x 2 +x. The curve is ordinary 
and has complex multiplication by the maximal order of K = Q(i v23 + 4\/5) . 
The field K is non-normal and its class number is 3; so we have 6 isomorphism 
classes of principally polarized abelian varieties. We apply our algorithm and 
compute the canonical lift of C to high precision (in fact, a posteriori, we see 
that 1200 bits are enough) and get its invariants. From this we reconstruct the 
minimal polynomial H\ and the corresponding and H 3 . As expected, the 
degree of Hi is 6. 



From the Newton polygon of Hi for the 2-adic valuation, we see that there 
are three roots that have valuation 0, and the others have negative valuation. 
Hence only three of the curves have good reduction modulo 2. However, since 
Hi is irreducible over Q, the 2-adic lifted invariants of any of the three conjugate 
curves yields the whole Hi. 

Choosing the 120-bit prime p = 954090659715830612807582649452910809, 
and solving a norm equation in the endomorphism ring Ok, we know that a 
solution {ji,h,j-i) to the Igusa class polynomials gives the invariants of a genus 
2 curve whose Jacobian has prime order 

910288986956988885753118558284481029311411128276048027584310525408884449 
of 240-bits. We find a corresponding curve: 

e : y 2 = x 6 + 827864728926129278937584622188769650 x 4 
+ 102877610579816483342116736180407060 a: 3 
+ 335099510136640078379392471445640199 x 2 
+ 351831044709132324687022261714141411 x 
+ 274535330436225557527308493450553085 

and a test of a random point on the Jacobian verifies the group order. 
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Abstract. It has been recently acknowledged [4,6,9] that the use of 
double bases representations of scalars n, that is an expression of the form 
n = ^2 e s t (— 1 ) e A s B t can speed up significantly scalar multiplication on 
those elliptic curves where multiplication by one base (say B) is fast. This 
is the case in particular of Koblitz curves and supersingular curves, where 
scalar multiplication can now be achieved in o(log n) curve additions. 

Previous literature dealt basically with supersingular curves (in char- 
acteristic 3, although the methods can be easily extended to arbitrary 
characteristic), where A, B £ N. Only [4] attempted to provide a simi- 
lar method for Koblitz curves, where at least one base must be non-real, 
although their method does not seem practical for cryptographic sizes (it 
is only asymptotic), since the constants involved are too large. 

We provide here a unifying theory by proposing an alternate recoding 
algorithm which works in all cases with optimal constants. Furthermore, 
it can also solve the until now untreatable case where both A and B are 
non-real. The resulting scalar multiplication method is then compared to 
standard methods for Koblitz curves. It runs in less than log n/ log log n 
elliptic curve additions, and is faster than any given method with similar 
storage requirements already on the curve K-163, with larger improve- 
ments as the size of the curve increases, surpassing 50% with respect to 
the r-NAF for the curves K-409 and K-571. With respect of windowed 
methods, that can approach our speed but require 0(log(n)/loglog(n)) 
precomputations for optimal parameters, we offer the advantage of a 
fixed, small memory footprint, as we need storage for at most two addi- 
tional points. 
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1 Introduction 

In cryptographic algorithms designed around elliptic curves, the most expensive 
part is the scalar multiplication nP, where P lies on the curve. In order to speed 
up this computation, it was proposed already at a very early stage of their use 
to adopt special families of curves where a large multiple of P can be computed 
very quickly. This is the case of endomorphism curves [15] or Koblitz curves 
E a [17]. 

We will examine more closely this latter class of curves. Defined over F 2 P, they 
are endowed with the Frobenius endomorphism r of the rational point group E a 
(F2p). Now, tP is a large multiple of P which can be computed in time 0(1) using 
normal bases or O(p) using polynomial bases. The map r is also identified with 
a complex root of an equation of the form t 2 ±t+ 2 = 0 that depends only on the 
curve equation. Using r, one can devise good scalar multiplication algorithms, see 
§§ 2.3, 2.5 and 2.6. All these algorithms compute nP with 1 l?(logn) costly curve 
operations (such as a doubling or an addition). We call these algorithms linear (in 
the number of curve operations with respect to the bit size of the field), since also 
the number of curve operations is 0(log n ). There are two ways of improving over 
these algorithms: either we devise algorithms with lower complexity (sublinear 
methods), or we reduce the number of group operations by some multiplicative 
factor. We deal here with the former paradigm. 

The novelty of our approach is to combine the use of r with double bases, first 
introduced in elliptic curve cryptography in [11]. To achieve this, we consider 
a more general setting of double base number systems (DBNS) that can be 
applied also to other classes of curves, such as supersingular curves over fields 
of characteristic 3, where in place of the Frobenius the fast operation is point 
tripling. We show how to find decompositions 


,= ^(-iruD'7^ 


with ( A,B ) a suitable pair of algebraic integers (such as (2,3), (3, t), or (r,r)) 
Si,ti nonnegative integers and e* € {0,1}. The length k of this expansion is O 
(log n/ log log n) . Wo reveal, similarly to [6] , a scalar multiplication algorithm with 
cost 0(log n/ log log n) curve operations in presence of a fast group endomorphism. 
We call such an algorithm sublinear, when the number of curve operations over the 
bit size of the field goes to zero. 

This is a first instance of a practical sublinear scalar multiplication algorithm 
with very little precomputations (which depend only on p, not the curve or the 
point P) or storage requirements (0(log p) bits). We provide some computational 
comparisons with other methods to show that even on 163-bit curves, our method 
yields better results. 


We use the notation i2(x) to mean > cx for 


positive c. 
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2 Background Material 

2.1 Double Bases 

Following [8], albeit with a slightly different notation, we will call a ( A , B)- integer 
a number which can be written as A l B° for some nonnegative integers i,j. We 
will extend the definition to algebraic integers, more precisely, integers in Z[r]. 
We will also allow A,Bg Z[t]. We define a (A, P)-integer expansion of n as a 
decomposition of n into a sum of (possibly signed) (A, B)-integers. Sometimes 
this will be also called a DBNS(A, B) recoding. 

2.2 Koblitz Curves 

For a general presentation of Koblitz curves, we refer to [13, § 15.1.1]. A Koblitz 
curve E a is an elliptic curve defined over F 2 P, with equation 

E a : y 2 + xy = x 3 + ax 2 + 1 . (1) 

Here a = 0 or 1, and p is a prime chosen so to make the order of the group of 
points F a (F 2P ) equal to twice if a = 1 (resp. four times if a = 0) a prime number, 
for at least one choice of a. A point P € E a ( F 2P ) is then randomly chosen with 
order equal to that large prime. In view of Hasse’s theorem, which states that 
l#E a (F 2 p) — 2 P — 1 1 < 2^ +1 , this means that we can choose P so that ordP is 
very close to 2 P_1 if a = 1 and to 2 P_2 if a = 0. Since E a has coefficients in 
F 2 , the Frobenius map r(x,y) = (x 2 ,y 2 ) is an endomorphism of P a (F 2P ). Since 
squaring is a linear operation in characteristic two, computing tP is also linear 
and takes time O(p). If normal bases are used to represent elements of F 2P , then 
computing tP is much faster, since it amounts to making two rotations, which 
is essentially free. 

We can view r as a complex number of norm 2 satisfying the quadratic 
equation r 2 — (— 1 ) 1_a r +2 = 0, since for any P on the curve, r 2 P + 2P = 
(— l) 1_a rP. Explicitly, r = — 2 +v '~ ? . We will also make use of the con- 

jugate f = (— l) 1_a — r of r. This corresponds to the dual of the Frobenius 
endomorphism. 

2.3 The r-NAF for Koblitz Curves 

All facts here are stated without proofs: These are found in [24,25]. 

Let us consider the Koblitz curve E a defined over F 2P by equation (1), with 
base point P, and let r denote the Frobenius endomorphism. We have seen that 
we can view r(P) as multiplication by r and let Z[r] operate on P, but in fact 
there exists an integer A such that r(P) = A P, and thus r operates on the whole 
subgroup generated by P like multiplication by A. 

The r-adic non-adjacent form (r-NAF for short) of an integer z € Z [r] is a 
decomposition z = JT z i T ' where z t 6 {0, ±1} with the non-adjacency property 
ZjZj . |-i = 0, similarly to the classical NAF [21]. The average density (that is the 
average ratio of non-zero bits related to the total number of bits) of a r-NAF is 
1/3. Each integer z admits a unique r-NAF. 
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The length of the r-NAF expansion of a randomly chosen scalar n is w 2p, 
whereas the bit length of n is « p. But, for any point P £ E a ( F 2 p) \ E a ( F 2 ), 
t p P = P and tP ^ P. 

Since the ring Z[r] is Euclidean we can take the remainder ( of n mod T T Z\ 
and use it in place of n. This ( will have smaller norm than that of (r p — 1) / (r— 1), 
and thus length at most p. Its r-NAF is called the reduced r-NAF of n and when 
P has prime order, it can be shown that nP = £P. 

The double-and-add scalar multiplication algorithm is a Horner scheme for the 
evaluation of nP using the binary expansion of n = JA=o as Ei = 0 n i^ l P- In 
a similar way we can evaluate zP = ]Tb ZiT l (P) by a Horner scheme, and the the 
corresponding algorithm is called a r-and-add algorithm. It is much faster than 
the double-and-add scheme on Koblitz curves because Frobenius evaluations are 
much faster than doublings. 

2.4 Point Halving 

Point halving (see [16] and [22,23]) is a technique to improve the performance 
of cryptosystems based on binary elliptic curves. The idea is to replace, in the 
double-and-add algorithm for scalar multiplication, doublings 2 Q by halvings 
iq _ ordQ+i Q. E ven though halving is not as fast as a Frobenius operation, it 
is much faster than doubling (between two and three times faster), according to 
literature [16,22,23] as well as [14]. 

2.5 Inserting a Halving in the r-Adic Scalar Multiplication 

In [1] a single point halving is inserted in the “r-and-add” scalar multiplication. 
This brings a non-negligible speedup (up to 14%) with respect to the use of the r- 
NAF, but is not optimal. In [3] the method is refined in order to bring the speed- 
up to 25%, and the resulting method is proved optimal among similar methods 
that do not require any precomputation. The basic idea in both approaches is 
to express nP as E* eo ,{T l (P) + Ei ej..*T*(Q) with Q = \P and a smaller total 
Hamming weight of the ej/s. The r-and-add loop is repeated two times: first 
Ei e i,*r l (-P) is computed, then the result is halved and a second r-and-add loop 
is performed like for the computation of Ei eo,»r*(P), but starting with the 
result just obtained in place of 0. 

2.6 Further Developments in r-Adic Representations 

The authors of [19] generalize the approach of [1] to expressions of the form 
Ei e 0 ,iT i (P)+T, i ei.iT^/it-P)) + • • • + £i e 2 u- 2 _ 14 T i (f 2 u- 2 _ 1 (P)), where 1 and 
the fj are representants of the residue classes modulo r“ in the ring Z[r] which 
are coprime to r, and e {0,±1}. Such an expression can be obtained from 
a r-adic windowed recoding [25]. If a window of width u is used, then the r- 
and-add loop is performed 2 U ~ 2 times in place of two times as in the method of 
§ 2.5. Thus, the number of Frobenius operations can increase exponentially with 
u. To ensure that this does not become a performance problem if polynomial 
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bases are used, a technique from [20] is adopted to convert between normal and 
polynomial bases as required to quickly compute iterated Frobenius operations. 

At the end of the r-and-add loop corresponding to the digit fj the partial 
result must be multiplied by fj+i/ fj before starting the r-and-add loop corre- 
sponding to the next digit fj+i- The relations between the /,■ ’s and their inverses 
must then be given explicitly. In [19] this is done for w = 5. Even though the au- 
thors cannot present the results in a completely general way, in the case described 
in [19] the reduction in memory consumption (or, equivalently, the speed-up with 
respect to other methods with no precomputations) is noteworthy. In order to 
generalize their approach the digit set itself has to be modified. In [2] it is shown 
how to do so. 

2.7 Supersingular Elliptic Curves in Characteristic 3 

We refer to [18] for generalities on supersingular elliptic curves. We will consider 
the curves Et, defined over F 3 m by the WeierstraB equations [5] 

y 2 =x 3 -x + b 

with b = ±1. On these curves, the tripling operation sends P = ( x,y ) to 
3 P = ( x 9 — b, —y 9 ), meaning that point tripling is essentially equivalent to two 
Frobenius and its cost will be considered negligible. 

3 Theoretical Preliminaries 

All the new results proving the sublinearity of the new DBNS decompositions 
are based on the following propositions. These results appears naturally in any 
elementary number theory book during the proof of the structure theorem for 
(Z/m)*, the multiplicative group of invertible classes modulo to. In the sequel, 
we let E be a unique factorization domain containing Z (we will consider in 
practice 1Z = Z and 1Z = Z [r], where r is the Frobenius endomorphism on a 
Koblitz curve). This is more stringent than necessary, however, it will make the 
proofs less elaborate. 

Notation: For gcd(a, b) = 1, we denote ordf,(a) the multiplicative order of a 
(mod b). 

Lemma 1. Let n be a prime, p > 0 a generator ofnlZnZ and k > 2 an integer. 
Let a e 1Z. Then (1 + aTr k ) p = 1 + pan k (mod ir k+2 ). 

Proof. Note first that p is prime in Z. Using the binomial theorem, we write out 

the left-hand side of the congruence as (1 + aTr k ) p = 1 + pan k + Y %=2 

If k > 2 , then 2k > k + 2 so that n k+2 \ n kz . □ 

Now the following result is proved immediately by induction. 

Lemma 2. Let n,p,k,a as in Lemma 1. Ifu > 0, then (l + a7r fc ) p = l+p u an k 
(mod n k+u+1 ). 
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Lemma 3. Let ir,p be as in Lemma 1, a, /3 £ 1Z such that a = (3 (mod 7r“) for 
some u> 1. Then a p = (3 P (mod 7r“ +1 ). 

Proof. We proceed as in the proof of Lemma 1. We write a = 6 + an u . Then 
a p = 1 3 P + Yh=i (^)/3 p_ *a*7r*“- Note that 7 r u+1 | n lu if * > 2. For i = 1 the term 
in the summation is p/3 p ~ 1 a'K u . Since n \ p, we are done. □ 

Theorem 1. Let a € 1Z and d = ord 7r 2 (a). Assume also that 7r is unramified 
over p, in other words that n \ (p/ir) . Let 

k = max{« >2 : d = ord^u (a)} . 

Then 

\d if u<k , 

° rd '- W = \dp«-‘ if u> k . 

Proof. It is clear that ord^u (oj = d if u < k. We then prove by induction that 
ord^+u (q) = dp u if u > 1 . 

Since a d = 1 (mod n k ) we deduce by Lemma 3 a dp = 1 (mod 7r ,i:+1 ). Therefore 
ord OT fe+i(a) | dp but also d \ ord 7r fc+i(a) and d ^ ord OT fe+i(a) by definition of u. 
Hence ord^k+i (a) = dp and the initial step (u = 1) of induction is proved. 
Assume therefore that ord^t+u (a) = dp u . 

Notice also that we must then have 

a d = 1 + an k (mod 7r fc+1 ) where tt\ a . 

By Lemma 2, we then have 

a dpU = 1 + p u a-K k = 1 + a(p/7r)“7r fe+ “ (mod 7r fc+u+1 ) . 

Since 7r | p is unramified, we have a dp ^ 1 (mod 7T fe+ “ +1 ). By the induction 
hypothesis, dp u \ ord^fc+„.+i (a) and we just found that these two numbers are 
different. Since by Lemma 3 again ord^fc+u+i (a) | dp u+1 and p is prime, it must 
be ord^+u+i (a) = dp u+1 . This completes the proof. □ 

We can appeal to this theorem to easily find the order of known elements to a 
power of a prime. We let r be the Frobenius on a Koblitz curve as described 
previously, viewing it as a complex root of X 2 + (— l) a X + 2 = 0. Then Z[r] 
is Euclidean hence a unique factorization domain. We have that r is prime in 
Z[t\ and likewise for f = (— 1)“ +1 — r, its complex conjugate. Also, r | 2 = rf is 
unramified, since r and r are coprime. 

Corollary 1. We have the following. 


ord 3 «(2) = 2 • 3“ -1 u> 1, 

ord 2 «(3) = 2 U ~ 2 u> 3, 

ord r <*(3) = 2 U ~ 2 u> 3, 

ord r u(f) = 2 U ~ 2 u> 3 . 
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Proof. The first equality follows from the fact that 6 = ordg(2) < ord27(2) and 
an actual verification for u = 1. 

For the second, notice that ord4(3) = 2 = ord§(3) < ordi6(3). 

For the third, it suffices to notice that 2 U | 3* — 1 if and only if r“ | 3* — 1. 
The “only if part” is obvious, since r | 2. For the “if’ part, notice that by 
taking conjugates we also have f u | 3* — 1 and since r and f are coprime we get 
T u f u | 3* — 1. 

Finally, (— l) a+1 f = - I -r 2 , hence f 2 = 1 + r r 3 + r 4 . This yields immediately 
2 = ord r 2(f) = ord T 3(f) < ord r 4(r) if a = 1 or 1 = ord r 2 (f) < 2 = ord T 3(f) < 
ord T 4 (f ) if a = 0 and the last formula. □ 

This leads to the main theorem of this section. 

Theorem 2. 1. Every JV€Z with 3 \ a is congruent modulo 3 U , (u> 1), to 

precisely one of the numbers 2 J ,0 < j < 2 • 3“ _1 . 

2. Every N e Z[r] with r\ N is congruent modulo t u , (u> 3), to precisely one 
of the numbers (— l) e A^, e = 0,1 and 0 < j < 2 U ~ 2 , for A = 3 or t . 

Proof. There are exactly </>( 3“) = 2 • 3“ _1 residue classes coprime to the mod- 
ulus 3 U . Hence, the first part of the theorem follows from the first equality of 
Corollary 1. 

For the second, begin by noting that #Z [t\/t u = 2 U (since the norm of t u is 
2“) and #(Z[t]/t“)* = 2 U ~ 1 , since elements divisible by r are exactly the kernel 
of the reduction homomorphism Z[t]/t u — > Z[r]/r. Therefore it suffices to prove 
that the numbers listed in the theorem are all distinct modulo r". Suppose then 
that (— 1 ) e Ai = (— l) e A 3 (mod t u ). Reducing modulo r 3 , we get that e = e', 
since the coprime residues modulo r 3 are ±1, ± A Hence A :i = A J (mod t u ) 
and by Corollary 1, we must have j = j'. This proves the theorem. □ 

4 Algebraic Algorithms for DBNS Recoding and Scalar 
Multiplication 

The results hitherto proved allow us to provide new double base recodings of 
scalars. Unlike previous algorithms [4, 6, 8, 9] these are not greedy and proceed 
from right to left (i.e. from the smallest powers of the fast endomorphism to the 
largest). 

Algorithm 1 implements a first version of a new DBNS recoding. We have 
given here an unsigned version, which, by a result of [4] must have at least 
(1 + o(l)) log n/ log log n terms. The algorithm works by Theorem 2, which says 
that in Step 6 we can always find j. The termination of the algorithm is also 
simple here since in Step 7, N stays positive but becomes strictly smaller. A 
signed version, suitable for implementation on Et,, can be readily obtained and 
is left to the reader. 



Extending Scalar Multiplication Using Double Bases 137 


Algorithm 1 . Unsigned right-to-left DBNS(2,3) recoding 


Input: An integer n > 0 and a parameter it. 
Output: Two arrays s[],t[] and their common 
sequences of exponents in the decomposition n = 

length k. The arrays are 

Ei=o 2 s[i] 3 t[i] 

1. 

A <- n, i <- 0, t <— 0 


2. 

f[]-0, s[] <— 0 


3. 

while A > 4 3 “ 1 do 


4. 

while 3 | A do 


5. 

A «- A/3, t t + 1 


6. 

Find 0 <j< 3“ _1 2 with N = 2 3 (mod 3“) 

7. 

A <— ( A — 2 J ) /3" 


8. 

»[*] <- 3. f [*] <- f 


9. 

t * — £ tz f z ^ — z H - 1 


10. 

while A > 0 do 


11. 

while 3 | A do 


12. 

A <- A/3, t <- f + 1 


13. 

if As 1 (mod 3) then 


14. 

A <— (A — l)/3, s[i] <- 0 


15. 

else 


16. 

A <— (A — 2)/3, «[i] <- 1 


17. 

t[i] <- t, t <- t + 1, i <- i + 1 


18. 

return s[],f[],i 



Algorithm 2 implements a signed algorithm using a complex double base (3, r), 
resp. (f , t), to be used on a Koblitz curve E a , resp. a supersingular elliptic curve 
in characteristic 3. 


Algorithm 2. Signed right-to-left DBNS(A,r) recoding {A = 3 or r) 
Input: An integer £ € Z[r] and a parameter u. 

Output: Three arrays s[], t[], e[] and their common length k. The arrays are 
sequences of exponents in the decomposition n = ^*L 0 1 (— l) e WA s Wr 4 ^. 

1. N+-C, i<-0, t<-0 

2. f[] - 0, *jj - 0, e[] - 0 

3. while |A| > 2 2 ” 1 [See Remarks below] 

4. while t | A do 

5. A <- N/t, t <- t + 1 

6. Find 0 <j< 2 U ~ 2 and e = 0, 1 with TV = (— 1 ) e A j (mod r“) 

7. A <- (A - (-1 ) e A j )/r u 

8. s[i] <- j, t\i\ <- 1, e 

9. f<-t + tt, + l 

10. while |TV| > 0 do 

11. while r | A do 
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12. N <- N/t, t^t + 1 

13. if TV = 1 (mod r 2 ) then 

14. N <- {N-1)/t 2 , e[i] ^0 

15. else 

16. N <- (JV+ l)/r 2 , e[i] <- 1 

17. tjjj] <- £, 1 1- £ + 2, i <- i + 1 

18. return s[],£[],e[],z 


Remarks 

1. In the case A = t , we can replace the lower bound in line 3. by 2 2 

2. To reduce the length of the expansion, it is possible to adapt u to the size 
of N. For instance, if A = f, replace line 3. by 

3. while \N\ > 0 do 

and after line 5. add 

6. while | IV | < 2 2 do u <— u — 1 

Doing that, lines 10. to 17. are no longer necessary. This modification helps 
to save a few more additions in Algorithm 4. See Table 1. 

By Theorem 2 again, the algorithm is consistent. The only point left to show 
is that it will terminate, namely that we have eventually N < 2 2 , since upon 

entering Step 10, the algorithm computes the r-NAF of N, hence termination is 
guaranteed. 

Indeed notice that if IV > 2 2 ” then 

\(-l) e A j \ < 3 j < 3 2 “" 2 < 4 2 ” -2 < |IV| (2) 

therefore in Step 7 

| lV-(-l)^ | 2JN\ = JN L 

| r u | |r“| |r«- 2 | 1 1 [> 

since u > 3. Since |IV| 2 g N (it is the norm of the algebraic integer N g Z[r]), 

eventually |IV| < 2 2 and the algorithm terminates. 

In the case when A = t and the lower bound is 2 2 , we replace (2) by 

|(-l) e r j | < 2 j / 2 < 2 2 “" 3 < |IV| 

and we proceed as in (3) to show that |IV| diminishes. Therefore our algorithms 
are correct. Notice that we apply Algorithm 2 to the reduced r-NAF of n 
(see Section 2.3). 

After running Algorithms 1 or 2 and before Algorithm 3, that computes the 
scalar multiplication, we have to shuffle the indices i in the arrays e[], s[], f[] so 

as to get s[i + 1] > s[i] for all i and t[i + 1] > t[i] in case s[i + 1] = s[i]. In 

Algorithm 3, set e[i] = 0 if using an unsigned recoding. 
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Algorithm 3. Scalar Multiplication from a DBNS(A, B) expansion 
Input: A point P on the curve E a or Eb and the arrays e[],s[],t[] of length 
k such that s[i + 1] > s[i] and t[i + 1] > t[i] whenever s[i + 1] = s[i]. 
Output: The point Q on E a or Eb such that Q = 5Di=o( — ly^A^B^P. 

1. Q^O.i^k- 1 

2. *[— 1] - 0 

3. while i > 0 do 

4. Let j < i be the min index with s[y] = s[f] 

5. R^(-l) e ®P 

6. while i > j do 

7. R*— 

8. i <- i - 1 

9. Q < — Q R 

10. Q e- 

11. return Q 


5 Comparison with Established Methods 

We want here to give an idea of how well Algorithm 2 fares with (f , r) on 
Koblitz curves standardized by NIST. We compare our new multiplication algo- 
rithm with the r-and-add using a r-NAF expansion [24] and the width-w r-NAF 
expansion [25]. 

For a given value of u, by (3), the number of iterations in the main loop 
(Steps 3 to 9) is bounded by the quantity c such that |£| = |r“ _2 | c = 25(“ -2 ). 
This gives 

_ 21og 2 |C| _ P 
C u — 2 u- 2 

for a generic scalar, by the way £ is constructed. Also, since the “tail” (i.e. the 
quantity processed in Steps 11 to 17) is a generic integer of Z[r] of norm less than 
2 2 “ , its expected Hamming weight is bounded by 2 u-2 /3. Thus, the average 
Hamming weight of the new expansion is bounded by 

-^*- 271 , 

u - 2 3 ’ 

and its worst case by 

-P^ + 2“- 3 + 1 . (4) 

In practice, when N is large in (3), the new value of N has absolute value much 
closer to |Af|/|r“|, therefore we should expect a Hamming weight closer to the 



Algorithm 3 then implies that the total cost of a scalar multiplication equals 
at most p/u+2“ -2 /3 additions plus 2" -2 applications of f. Since an application 
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of r = (— l) 1 “ — r corresponds to a curve addition, the total cost (in curve 
additions) is bounded from above by 


/(«) = H + 


2 U 
¥ ' 


In the previous argument, following [4, Section 4], we neglected the cost of apply- 
ing r, as we will in the following comparisons. See also Section 7 for a concrete 
approach to reducing the impact of the Frobenius to a non-dominant term. 

We can modify Algorithm 3 to make use of the advantage of halvings over 
multiplications by A = f (at least a 50% saving in performance). Indeed, let 
£' = 2 2 £ (mod T Z\ ) with minimal norm. From a DBNS(r,r) expansion 




get that 


nP = QP = = E(-l)< 



where e, = 1 if < .s' and 0 else. Note that this is a valid DBNS(l/2,r) 
expansion, because for different values of i,j, the same powers of 1/2 and r 
occur only if .s' = s'- and either t\ — .s' = f' — s'- or t' — ,s' p + f' — s'-. Since the 
pairs (s', f') arise from a DBNS expansion and f' < p, either case is impossible. 

In this case, from (5) and the subsequent analysis, we can conclude that 
the cost of one scalar multiplication using a DBNS(l/2,r) expansion is upper 
bounded on average by g(u) curve additions, where 



For various parameters of p corresponding to the NIST curves K-163 (a = 1), 
K-233 (a = 0), K-283 (a = 0), K-409 (a = 0), K-571 (a = 0), Table 1 gives 
the scalar multiplication costs in elliptic curve additions (with the assumption 
that two halvings are equivalent to one addition) using the r-NAF, width-w r- 
NAF (ty-r-NAF) and our new recodings, on average, as well as the percentage 
improvement over those methods and the value of u used in minimizing the 
functions f(u) and g{u). In each case, the average is computed over 25,000 
values. 


6 Asymptotic Improvements 

We now establish the asymptotic behavior of our new scalar multiplication al- 
gorithm. Its sublinear nature will be thus revealed. We have the following. 
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Table 1. Comparison of scalar multiplication algorithms on Koblitz curves 


Field size p 

t-NAF 

w-r-NAF 


DBNS(t,t) 

[ u. 

DBNS(i,r) 


%/t-NAF 

%/w-r-NAF 

163 

54.33 

34.16 


34.60 

5 

31.09 

5 

42.78% 

8.99% 

233 

77.66 

45.83 

5 

46.60 

5 

41.38 

6 

46.72% 

9.71% 

283 

94.33 

54.16 

5 

54.38 

5 

48.80 

6 

48.27% 

9.90% 

409 

136.33 

73.42 

6 

74.40 

6 

66.89 

6 

50.94% 

8.90% 

571 

190.33 

102.37 

[6_ 

97.18 

6 

88.04 

ll 

53.74% 

14.00% 


Theorem 3. Algorithms 1 and 2 allow to express nP , where P € E^ orP g E„ . as 


J2(-l) ei A Si B u \ P with for i^j, 


where ( A,B ) = (2,3) in the case of Eb and ( A,B ) = (3 ,r) or (t,t) in the case 
of E a . The length k satisfies on average (the worst case being twice as large only 
in the case of E a ) 


fe < (l + o(l)) - — as n 

v ' log log n 


oo , 


and max Si < log n/ (log log n ) 2 . 

Therefore scalar multiplication nP can be performed via Algorithm 3 on these 
curves with an average cost of less than (l + o(l))logn/loglogn curve additions. 

Proof. We detail the proof in the case of Koblitz curves. In the DBNS(2, 3) case, 
simple modifications lead to the analogous result. We start with (4), letting 
u = [2 + log 2 p — 2 log 2 log pj . We then find that k < lo ^ p + o ■ Since 

on average p = log 2 n we are done in the average case. In the worst case p has 
to be replaced by 21og 2 |£|, where C = n if n is too small. The (average) bound 
on the Si is immediate from Step 6 in Algorithm 2. 

Since the total cost of Algorithm 3 differs from the Hamming weight A; by a 
multiple of 2“ -2 = o(p/logp) we are done. □ 


7 On the Use of Normal vs. Polynomial Bases 

Neglecting the cost of r is fine if normal bases are used, but when polynomial bases 
are used Frobenius operations can become expensive as u increases. One solution is 
provided, as already mentioned, by a technique introduced by Park et al. in [20] and 
used by Okeya et al. in [19] . Instead of applying a variable power of the Frobenius 
to a changing point as done in Steps 5 to 9 if Algorithm 3, we apply the Frobenius to 
the point P and accumulate directly. Only, the Frobenius is performed on a copy of 
P that has been converted to normal basis representation (hence, all powers of the 
Frobenius have essentially the same cost), and then the result is converted back to 
polynomial basis representation before adding it to the accumulator variable that 
will contain the final result at the end of the algorithm. 
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Algorithm 4. (r,r)-Double Bases Scalar Multiplication on Koblitz Curves 


Input: A point P on E a , a scalar z and arrays e[],s[],t[] of length k with 

s[i + 1] > .»[*] such that a = ^^ 0 1 (— l) e Wf s H T *W 

Output: The point Q on E a such that Q = zP = 5Dfr o 1 (— l) e hlf s [*l T *Wp_ 


1. 

R <— normal-basis(P) [Keep in affine coordinates] 

2. 

<2 <— 0 

[Use Lopez-Dahab coordinates] 

3. 

for i = k 

— 1 to 0 do 

4. 

iff 

^ k — 1 and s [i] ^ s[i + 1] then 

5. 


for j = 1 to s[i + 1] — s[i] do 

6. 


Q <— t~ 1 Q, Q <— 2Q 

7. 

Q Q + e[i] • polynomial-basis (r^R) [Mixed coordinates] 

8. 

return Q 



With our notation the resulting method is presented as Algorithm 4, in a 
version that uses mixed coordinate arithmetic and projective (V) or Lopez- 
Dahab {CD) coordinates [12, § 13.3] while keeping the points P and R in affine 
(.4) coordinates. 

There we use the fact that 2 = rr to implement f as a doubling with an 
inverse of a Frobenius, an operation that requires three square root extractions 
in V or CD. A square root extraction costs between 1/8 and 1/2 of a multipli- 
cation depending on the field [14] . A doubling in CD costs 4 multiplications and 
4 squarings, whereas a mixed coordinate addition (i.e. adding a point in A to a 
point in CD with a result in CD) costs 9 multiplications and 5 squarings. The 
time required by a basis conversion (routines normal-basis and polynomial-basis) 
is roughly the same as one polynomial basis multiplication, and the conversion 
routines require each a matrix that occupies 0(p 2 ) bits of storage [7]. Hence 
Steps 1 and 6 cost each about two field multiplications. The time for an eval- 
uation of t is then roughly a half of the time for an evaluation of the addition 
(including the basis conversion). 


8 Conclusion 

This work shows that using double bases in scalar multiplication improves per- 
formance significantly, even for the smallest cryptographic parameters, at 
almost no additional memory cost. This method however is only effective if 
multiplication by one of the bases can be neglected, as was shown in [4]. The 
resulting new scalar multiplication algorithms are especially fast on Koblitz 
curves and supersingular curves of characteristic three used in pairing-based 
cryptosystems. 

As this work is being written, other articles on the same subject are about to 
be published. In [10], accepted at CHES 2006, the authors present practical mea- 
surements on FPGA and show that indeed one achieves a 50% speedup already 
on the smallest Koblitz curve K-163 by using short decompositions found by a 
clever extensive search. The paper [2], to appear in the proceedings of SAC 2006, 
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among other things contains results similar to ours, but expressed in the language 
of expansions with respect to a single base using suitably defined digit sets. 
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Abstract. At Eurocrypt 2005, Waters presented an identity based en- 
cryption (IBE) protocol which is secure in the full model without random 
oracle. In this paper, we extend Waters’ IBE protocol to a hierarchical 
IBE (HIBE) protocol which is secure in the full model without random 
oracle. The only previous construction in the same setting is due to 
Waters. Our construction improves upon Waters’ HIBE by significantly 
reducing the number of public parameters. 


1 Introduction 

The concept of identity based encryption (IBE) was introduced by Shamir in 
1984 [17]. An IBE is a type of public key encryption where the public key can 
be any binary string. The corresponding secret key is generated by a private 
key generator (PKG) and provided to the legitimate user. The notion of IBE 
simplifies several applications of public key cryptography. The first efficient im- 
plementation and an appropriate security model for IBE was provided by Boneh 
and Franklin [5]. 

The PKG issues a private key associated with an identity. The notion of 
hierarchical identity based encryption (HIBE) was introduced in [14,13] to reduce 
the workload of the PKG. An entity in a HIBE structure has an identity which 
is a tuple (vi, . . . , Vj ) . The private key corresponding to such an identity can 
be generated by the entity whose identity is (vi, . . . ,Vj_i) and which possesses 
the private key corresponding to his identity. The security model for IBE was 
extended to that of HIBE in [14,13]. 

The construction of IBE in [5] and of HIBE in [13], was proved to be secure in 
appropriate models using the random oracle heuristic, i.e., the protocols make 
use of cryptographic hash functions that are modeled as random oracle in the 
security proof. The first construction of an IBE which can be proved to be secure 
in the full model without the random oracle heuristic was given by Boneh and 
Boyen in [3]. Later, Waters [19] presented an efficient construction of an IBE 
which is secure in the same setting. 

An important construction of a HIBE is given by Boneh-Boyen [2]. This paper 
describes a general framework for constructing a HIBE. For an /i-level HIBE, 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 145-160, 2006. 
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the idea in [2] is to use h functions ipi, . . ■ ,iph, where ?// is viewed as a hash 
function which maps the ith component of the identity tuple to an appropriate 
group element. This framework is instantiated in [2] to obtain a HIBE protocol 
which can be proved secure in weaker model called the selective-ID (sID) model. 

The construction by Waters in [19] can be viewed as another instantiation 
of a 1-level BB-framework [2] . Identities are considered to be n-bit strings. The 
construction uses group elements U', Ui,...,U n (and P, Pi, P 2 ) as public pa- 
rameters. A natural extension of this construction to an /i-level HIBE is given 
in [19]. In this extension, for an /i-level HIBE, the public parameters will be of 
the form U[, E/ 1 , 1 , • • • , Ui.n, U' 2 , U 2 ,i, . . . , U 2 , n , ■ . ., U' h , U h j . .... U h>n . One still 
requires the parameters P, Pi, P 2 , giving rise to 3 + (n + 1 )h many parameters. 

Our Contributions: We present a HIBE which can be proved to be secure 
in the full model assuming the decisional bilinear Diffie-Hellman problem to be 
hard without using the random oracle heuristic. Our construction can also be 
viewed as another instantiation of the BB-framework [2]. The public parameters 
for an /i-level HIBE are of the form E/(, . . . , U' h , Ui, . . . , U n . In other words, the 
parameters U[,...,U' h correspond to the different levels of the HIBE, whereas 
the parameters Ui,...,U n are the same for all the levels. These parameters 
Ui,...,U n are reused in the key generation procedure. We require 3 + n + h 
parameters compared to 3 + (n + 1 )h parameters in Waters’ HIBE. 

The reuse of public parameters over the different levels of the HIBE compli- 
cates the security proof. A straightforward extension of the independence results 
and lower bound proofs from [19] is not possible. We provide complete proofs of 
the required results. The constructed HIBE is proved to be secure under chosen 
plaintext attack (called CPA-secure). Standard techniques [8,6] can convert such 
a HIBE into one which is secure against chosen ciphertext attack (CCA-secure). 

Related Work: The first construction of HIBE which is secure in the full model 
is due to Gentry and Silverberg [13]. The security proof depends on the random 
oracle heuristic. HIBE constructions which can be proved secure without random 
oracle are known [2,4]. However, these are secure in the weaker selective-ID model. 
A generic transformation converts a selective-ID secure HIBE to a HIBE secure in 
the full model. Unfortunately, this results in an unacceptable degradation in the 
security bound. It is also possible to convert it into a HIBE secure in the full model 
under the random oracle hypothesis. As mentioned earlier, Waters [19] HIBE is 
the only previous indication of directly obtaining a HIBE which is secure in the full 
model without random oracle. In Table 1 of Section 4, we provide a comparison 
of our construction with the previous constructions. 

An extension of Waters’ IBE was independently done by Chatterjee-Sarkar [9] 
and Naccache [16]. In this extension, the n-bit identities of Waters’ IBE are 
replaced by l strings of length n/l bits each. This reduces the number of public 
parameters from 3 + n in Waters’ IBE to 3 + 1. The trade-off is a further security 
degradation by a factor of approximately 2 n / 1 . This can be translated into a 
trade-off between the size of the public parameters and the efficiency of the 
protocol (see [9]). The CSN idea of extending Waters’ IBE can also be applied 
to the HIBE we describe. 
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2 Definitions 

In this section, we describe HIBE, security model for HIBE, cryptographic bi- 
linear map and the hardness assumption that will be required in the proof. 

2.1 HIBE Protocol 

Following [14,13] a HIBE scheme is specified by four probabilistic algorithms: 
Setup, Key Generation, Encryption and Decryption. Note that, for a HIBE of 

height h (henceforth denoted as h-HIBE) any identity v is a tuple (vi v/) 

where 1 < j < h. 

Setup: It takes as input a security parameter and returns the system parameters 
together with the master key. The system parameters include the public param- 
eters of the PKG, a description of the message space, the ciphertext space and 
the identity space. These are publicly known while the master key is known only 
to the PKG. 

Each of the algorithms below (Key Generation, Encryption and Decryption) 
have the system public parameters as an input. We do not mention this explicitly. 

Key Generation: It takes as input an identity v = (vi , Vj), the public pa- 

rameters of the PKG and the private key d v |(.j-i) corresponding to the identity 
(vi, . . . , Vj_i) and returns a private key d v for v. The identity v is used as the 
public key while d v is the corresponding private key. If j = 1, then the private 
key is generated by the PKG. It is not difficult to see that any entity which 
possesses a private key for a prefix of v can generate a private key for v. 

Encryption: It takes as input the identity v, the public parameters of the PKG 
and a message from the message space and produces a ciphertext in the cipher- 
text space. 

Decryption: It takes as input the ciphertext and the private key of the cor- 
responding identity v and returns the message or bad if the ciphertext is not 
valid. 


2.2 Security Model for HIBE 

Security is defined using an adversarial game. An adversary A is allowed to query 
two oracles - a decryption oracle and a key-extraction oracle. At the initiation, 
it is provided with the public parameters of the PKG. The game has two query 
phases with a challenge phase in between. 

Query Phase 1: Adversary A makes a finite number of queries where each query 
is addressed either to the decryption oracle or to the key-extraction oracle. In 
a query to the decryption oracle it provides a ciphertext as well as the identity 
under which it wants the decryption. It gets back the corresponding message or 
bad if the ciphertext is invalid. Similarly, in a query to the key-extraction oracle, 
it asks for the private key of the identity it provides and gets back this private 
key. Further, A is allowed to make these queries adaptively, i.e., any query may 
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depend on the previous queries as well as their answers. The adversary is not 
allowed to make any useless queries, i.e., queries for which it can compute the 
answer itself. For example, the adversary is not allowed to ask for the decryp- 
tion of a message under an identity if it has already obtained a private key 
corresponding to the identity. 

Challenge: At this stage, A outputs an identity v* = (v*, . . . , vt) for 1 < j < h, 
and a pair of messages Mo and Mi. There is the natural restriction on the 
adversary, that it cannot query the key extraction oracle on v* or any of its 
proper prefixes in either of the phases 1 or 2. A random bit b is chosen and the 
adversary is provided with C* which is an encryption of Mb under v*. 

Query Phase 2: A now issues additional queries just like Phase 1, with the 
(obvious) restrictions that it cannot ask the decryption oracle for the decryption 
of C* under v*, nor the key-extraction oracle for the private key v* or any of its 
prefix. 

Guess: A outputs a guess b' of b. 

The advantage of the adversary A is defined as: 

Adv^ IBE = |Pr[(fe = 6')] - 1/2|- 

The quantity Adv HIBE (t, gi D , q c ) denotes the maximum of Adv BIBE where the max- 
imum is taken over all adversaries running in time at most t and making at 
most qc queries to the decryption oracle and at most q\o queries to the key- 
extraction oracle. A HIBE protocol is said to be (e, t, <?id, <?c)-CCA secure if 
Adv HIBE (f, < 7 i D , qc) < e. 

In the above game, we can restrict the adversary A from querying the de- 
cryption oracle. Adv HIBE (f, q) in this context denotes the maximum advantage 
where the maximum is taken over all adversaries running in time at most t and 
making at most q queries to the key-extraction oracle. A HIBE protocol is said 
to be (t,q, e)-CPA secure if Adv HIBE (t, q) < e. 

As mentioned earlier there are generic techniques [8,6] for converting a CPA- 
secure HIBE into a CCA-secure HIBE. In view of these techniques, we will 
concentrate only on CPA-secure HIBE. 

2.3 Cryptographic Bilinear Map 

Let Gi and G -2 be cyclic groups having the same prime order p and G i = ( P ), 
where we write G\ additively and G -2 multiplicatively. A mapping e : G\ x G\ — > 
C ?2 is called a cryptographic bilinear map if it satisfies the following properties. 

- Bilinearity: e(aP, bQ ) = e(P, Q) ab for all P. Q £ G\ and a, b £ 2Z p . 

- Non-degeneracy: If G\ = (P), then G^ = (e(P, P)). 

- Computability: There exists an efficient algorithm to compute e(P, Q) for all 
P,QeGi. 

Since e(aP,bP ) = e(P. P) ab = e(bP,aP), e() also satisfies the symmetry prop- 
erty. The modified Weil pairing [5] and the modified Tate pairing [1,11] are 
examples of cryptographic bilinear maps. 
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Note: Known examples of e() have G\ to be a group of Elliptic Curve (EC) points 
and G 2 to be a subgroup of a multiplicative group of a finite field. Hence, in 
papers on pairing implementations [1,11], it is customary to write G\ additively 
and G 2 multiplicatively. On the other hand, some “pure” protocol papers [2,3,19] 
write both G i and G 2 multiplicatively though this is not true for the initial 
protocol papers [15,5]. Here we follow the first convention as it is closer to the 
known examples of cryptographic bilinear map. 

The decisional bilinear Diffie-Hellman (DBDH) problem in (G\ . G 2 , e) [5] is 
as follows: Given a tuple ( P , aP, bP, cP, Z), where Z e G 2 , decide whether Z = 
e(P,P) abc (which we denote as Z is real) or Z is random. 

The advantage of a probabilistic algorithm B, which takes as input a tuple 
(P, aP, bP, cP, Z) and outputs a bit, in solving the DBDH problem is defined as 
Advg BDH = |Pr [B{P,aP,bP,cP,Z) = 1|Z is real] 

-Pr [B{P,aP,bP,cP,Z) 1 1 £ is random]) 
where the probability is calculated over the random choices of a,b,cG ZZ p as well 
as the random bits used by B. The quantity Adv DBDH (f) denotes the maximum 
of Advg BDH where the maximum is taken over all adversaries B running in time 
at most t. By the (e, t)-DBDH assumption we mean Adv DBDH (t) < e. 

3 HIBE Construction 

The IBE scheme proposed in [19] has some similarities with the 1-level (H)IBE 
scheme of Boneh-Boyen [2]. Waters in his paper [19], utilized this similarity to 
build a HIBE in an obvious manner, i.e., for each level we have to generate new 
parameters. This makes the public parameters quite large - for a HIBE of height 
h with n-bit identities, the number of public parameters becomes n x h. 

Here we present an alternative construction where the public parameters can 
be significantly reduced. We show that for an /i-HIBE it suffices to store (n + h) 
elements in the public parameter. 

The identities are of the type (vi vy), for j e {1 , . . . , h} where each v fe = 

(vfc.i, . • • , v fci „), v fe j e {0, 1} for 1 < j < n. 

Let G\ and G 2 be cyclic groups having the same prime order p. We use a 
cryptographic bilinear map e : G\ x Gi — * G 2 the definition of which is given in 
Section 2.3. The message space is G 2 . 

Set- Up: The protocol is built from groups G \ , G 2 and a bilinear map e as men- 
tioned above. The public parameters are the following elements: P, Pi = oP, 
P 2 , U[,...,U' h , Ui , . . . , U n , where G\ = (P), a is chosen randomly from ZZ. p 
and the other quantities are chosen randomly from G\. The master secret is 
aP 2 . (The quantities Pi and P 2 are not directly required; instead e(P\,P 2 ) is 
required. Hence one may store e(Pi, P 2 ) as part of the public parameters instead 
of Pi and P 2 .) 

Note that for the jth level of the HIBE, we add a single element, i.e., Uj in 
the public parameter while the elements Ui,...,U n are re-used for each level. 
This way we are able to shorten the public parameter size. 
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A shorthand: Let v = (vi, . . . ,v n ), where each % is a bit. For 1 < k < h we 
define, 


V k (v) = U' k + j2viUi. (1) 

i— 1 

When v is clear from the context we will write 14 instead of V k (v). The modu- 
larity introduced by this notation allows an easier understanding of the protocol. 

Key Generation: Let v = (vi, . . . , Vj), j < h, be the identity for which the 
private key is required. The private key d v for v is defined to be a tuple d v = 
(do, di , dj) where 


d 0 = aP 2 -f ^2 a-Vfc(vA-); and d k = r k P for 1 < fc < j. 

k = 1 

Here r±, . . . ,rj are random elements from ZZ V . 

Such a key can be generated by an entity which possesses a private key for 
the tuple (vi , . . . , Vj-i) in the manner shown in [2]. Suppose ( d' 0 , d(, ... , d!j_ x ) is 
a private key for the identity (vi, • • • , Vj_i). To generate a private key for v, first 
choose a random rj e ZZ p and compute d v = (do, di, . . . , dj) as follows. 

do = d^ + rj Vj (vj) ; di = d! i for 1 < i < j — 1; and dj = rjP. 

In fact, any prefix of v as well as the PKG can generate a private key d v for v. 

Encryption: Let v = (vj ,v,-) be the identity under which a message M e G 2 

is to be encrypted. Choose t to be a random element of 7Z V . The ciphertext is 

(Co = M x e(P\,P 2 ) t , Ci = tP, B x = fFi(vi), ...,Bj= tVj(vj)). 


Decryption: Let C = (Co, C\,B\, . . . ,Bj) be a ciphertext and the corresponding 

identity v = (vj, vj). Let (do , di , . . . , dj ) be the decryption key corresponding 

to the identity v. The decryption steps are as follows. 

Verify whether Co is in G 2 , Ci and the -Efys are in Gi. If any of these ver- 
ifications fail, then return bad, else proceed with further decryption as follows. 
Compute 14 (vi), . . . , Lfy ( v y ) • Return 


Co 


e(do, Ci) 


It is standard to verify the consistency of decryption. 


Chatterjee- Sarkar- Naccache Extension: Following [9,16], let l be a size parameter 
which divides n. An identity is a tuple (v-[ , . . . , v,), j < h, where each v/ c , 1 < 
k < j is represented as v k = (v^i, . . . , v^j) where v k j is an (n/l)- bit string 
considered to be an element of 
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The public parameters are P. Pi . P2. U\, . . . , U[ and U[. , U' h . In this case, 
we change the definition of 1 40 to the following: Vk(v) = U' k + jT^ =1 ViUi where 
each Vi is a bit string of length n/l. Using this modified definition of V/.Q for 
1 < k < h, the key generation, encryption and decryption algorithms of the HIBE 
described above can be extended to the Chatterjee-Sarkar-Naccache settings. 

4 Security 

In this section, we state the result on security and discuss its implications. The 
proof is given in Section 5. 

Theorem 1. The HIBE protocol described, in Section 3 is {chibe- t, (4) -CPA se- 
cure assuming that the (t 1 ,e dbd h)-DBDH assumption holds in (Gi,G2,e), where 
Chibe < Ztdbdh/^; t’ = t + Xi^hibe) and 

X(e) = 0(rq + 0(e~ 2 ln(e _1 )A _1 ln(A -1 )); 
r is the time required for one scalar multiplication in G 1 ; 

A = l/(2(4g(n + l)) ft ). 

We further assume 4 q(n + 1) < p. 

The last assumption is practical and similar assumptions are also made in [19,9,16] , 
though not quite so explicitly. Before proceeding to the proof, we discuss the above 
result. The main point of the theorem is the bound on Chibe- This is given in terms 
of A and in turn in terms of q, n and h. 

The reduction is not tight; security degrades by a factor of 4(4 q(n + l)) /i . 
The actual value of degradation depends on the value of q, the number of key 
extraction queries made by the adversary. A value of q used in earlier analysis 
is q = 2 30 [12]. 

h = 1: This implies that the HIBE is actually an IBE. This is the situation 
originally considered by Waters [19] and ehibe < 16r/(« + l)e dbd h < 32 nqe dbd h- 

h > 1; This corresponds to a proper HIBE and we obtain ehibe < 4(4 q(n + 
1 )) h edbdh < 4(8nq) h e d bdh ■ For n = 160 (and q = 2 30 ), this amounts to e h ibe < 
4(10 x 2 37 ) h e dbdh . 

In Table 1, we compare the known HIBE protocols which are secure in the full 
model. We note that HIBE protocols which are secure in the selective-ID model 
are also secure in the full model with a security degradation of « 2 nh , where h 
is the number of levels in the HIBE and n is number of bits in the identity. This 
degradation is far worse than the protocols in Table 1 . 

The BB-HIBE in Table 1 is obtained through a generic transformation (as 
mentioned in [2]) of the selective-ID secure BB-HIBE to a HIBE secure in the full 
model using random oracle. For the GS-HIBE [13] and BB-HIBE, the parameter 
qn stands for the total number of random oracle queries and in general qn ~ 
2 60 q [12]. The parameter j in the private key size, ciphertext size and the 
encryption and decryption columns of Table 1 represents the number of levels 
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Table 1. Comparison of HIBE Protocols 


Protocol 

Hardness 

Assump. 

Rnd. 

Ora. 

Sec. 

Deg. 

Pub. Para, sz 
(elts. of C?i) 

Pvt. Key sz 
(elts. of Gi) 

Cprtxt sz 
(elts. of Gi) 

Pairing 

Enc. 

Dec. 

GS [13] 

BDH 

Yes 

qHq h 

2 

j 

j 

1 

j 

BB [2] 

DBDH 

Yes 

Qh 

h + 3 

j + 1 

3 + 1 

None 

1 - 1 

Waters [19] 

DBDH 

No 

4(8 nq) 11 

(n+l)h + 3 

j + 1 

3 + 1 

None 

j + 1 

Our 

DBDH 

No 

4(8 nq) h 

h + n + 3 

j + 1 

3 + 1 

None 

j + 1 


of the identity on which the operations are performed. The parameter h is the 
maximum number of levels in the HIBE. The construction in this paper requires 
(h + n + 3) many elements of G\ as public parameters whereas Waters HIBE 
requires (n + l)/i + 3 many elements. The security degradation remains the same 
in both cases. 

5 Proof of Theorem 1 

The security reduction follows along standard lines and develops on the proof 
given in [19,9,16]. We need to lower bound the probability of the simulator 
aborting on certain queries and in the challenge stage. The details of obtaining 
this lower bound are given in Section 5.1. In the following proof, we simply use 
the lower bound. We want to show that the HIBE is ( €hibe,t,q)-CPA secure. In 
the game sequence style of proofs, we start with the adversarial game defining 
the CPA-security of the protocol against an adversary A and then obtain a 
sequence of games as usual. In each of the games, the simulator chooses a bit S 
and the adversary makes a guess 8'. By X- L we will denote the event that the bit 
(5 is equal to the bit 8’ in the itli game. 

Game 0: This is the usual adversarial game used in defining CPA-secure HIBE. 
We assume that the adversary’s runtime is t and it makes q key extraction 
queries. Also, we assume that the adversary maximizes the advantage among all 
adversaries with similar resources. Thus, we have ehibe = Pr[A 0 ] — || . 

Game 1 : In this game, we setup the protocol from a tuple (P, Pi = aP, P 2 = 
bP, P 3 = cP,Z = e(Pi , p 2 ) a,,c ) and answer key extraction queries and generate 
the challenge. The simulator is assumed to know the values a, b and c. However, 
the simulator can setup the protocol as well as answer certain private key queries 
without the knowledge of these values. Also, for certain challenge identities it 
can generate the challenge ciphertext without the knowledge of a, b and c. In the 
following, we show how this can be done. If the simulator cannot answer a key 
extraction query or generate a challenge without using the knowledge of a, b and 
c, it sets a flag fig to one. The value of fig is initially set to zero. 

Note that the simulator is always able to answer the adversary (with or with- 
out using a,b and c). The adversary is provided with proper replies to all its 
queries and is also provided the proper challenge ciphertext. Thus, irrespective 
of whether fig is set to one, the adversary’s view in Game 1 is same as that in 
Game 0. Hence, we have Pr[X 0 ] = Pr[A-i], 
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We next show how to setup the protocol and answer the queries based on the 
tuple ( P , Pi = aP , P 2 = bP, P 3 = cP, Z = e(P , P 2 ) abc ). 


Set- Up: Let to be a prime such that 2 q < m < 4 q. Our choice of to is different 
from that of previous works [19,9,16] where to was chosen to be equal to 4 q and 
2q. 

Choose X'!, . . . , x' h and x\,...,x n randomly from 2Z rn \ also choose y\ , , y' h 
and yi,-..,y n randomly from 7Z p . Choose ki,...,kh randomly from {0, . . . , n}. 

For 1 < j < h, define f/j = (p — mkj + x' :) ) P 2 + y'jP and for 1 < i < n define 
Ut = Xi P 2 + y%P. The public parameters are (P, Pi,P 2 , U[, . . . , U' h , U\, . . . , U n ). 
The master secret is aP 2 = abP. The distribution of the public parameters is 
as expected by A. In its attack, A will make some queries, which have to be 
properly answered by the simulator. 

For 1 < j < h, we define several functions. Let v = (iq, . . . , v n ) where each 
Vi € {0, 1}. We define 


Fj(v) = p — mkj + x'j + Y^i= i • 

J j( v ) = y'j + T,i=iyi v i 

Lj (v) = x'j + i XiVi (mod to) ] 

K j{ v)=( 0iiL ^ = ° 


(2) 


Recall that we have assumed &q(n+l) < p. Let P m i n and P ma x be the minimum 
and maximum values of Fj(v). P m in is achieved when kj is maximum and x'j 
and the *j’s are all zero. Thus, F m i n = p — mn. We have mn < 4 q(n + 1) and 
by assumption 4 q(n + 1) < p. Hence, F m i n > 0. Again F max is achieved when 
kj = 0 and x'j and the x, ! s and u,’s are equal to their respective maximum 
values. We get F max < p + m{n +1) < p + 4 q(n + 1) < 2 p. Thus, we have 
0 < F min < Fj (v) < F max < 2 p. Consequently, Fj (v) = 0 mod p if and only if 
Fj(v) = p which holds if and only if —mkj + x’j + x i v i = 0- 

Now we describe how the queries made by A are answered by B. The queries 
can be made in both Phases 1 and 2 of the adversarial game (subject to the 
usual restrictions). The manner in which they are answered by the simulator is 
the same in both the phases. 


Key Extraction Query: Suppose A makes a key extraction query on the identity 
v = (vi, . . . , Mj). Suppose there is a u with 1 < u < j such that K u {y u ) = 1. 
Otherwise set fig to one. In the second case, the simulator uses the value of a to 
return a proper private key d v = (aP2 + Ya= i r-i Vj , • • • , ry Vj ) . In the first 

case, the simulator constructs a private key in the following manner. 

Choose random n, ... ,rj from 7Z. p and define 

do\u — — Fjyu)^ 1 r u(F u (Vu)P2 + T u (v u )P) 
du = FiFO Pl + r “ P 

dk = TkP for k^u 

d v = (d 0 |„ + J2ke{i,-,j}\{u} r kVk, di , . * . , dj) 


(3) 
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The quantity d v is a proper private key corresponding to the identity v. The 
algebraic verification of this fact is similar to that in [2,19]. This key is provided 
to A. 

Challenge: Let the challenge identity be v* = (vf, . . . , vj£»), 1 < h* < h and the 
messages be Mo and Mi. Choose a random bit <5. We need to have Ffc(v£) = 
0 mod p for all 1 < k < h*. If this condition does not hold, then set fig to one. In 
the second case, the simulator uses the value of c to provide a proper encryption 
of Mg to A by computing (Mg x e(Pi , Pa) 0 , cP, cV f , . . . , cVh*). In the first case, 
it constructs a proper encryption of Mg in the following manner. 

(M s xZ,C 1 = P 3 ,B 1 ^ Ji K)P 3 , ...,B h , = J h . K,)P 3 ). 

We require Bj to be equal to cV,(v*) for 1 < j < h*. Recall that the definition 
of Vj(v) is Vj(v) = Uj + l v kUk ■ Using the definition of C/j and the Uk s as 

defined in the setup by the simulator, we obtain, cVi = c(Fj(v*)P 2 + Jj(v*)P) = 
Ji{y*)cP = J,;(v* )P.i. Here we use the fact, Fj(v* ) = 0 mod p. Hence, the quan- 
tities B i , . . . , Bfr , are properly formed. 

Guess: The adversary outputs a guess S' of 5. 

Game 2: This is a modification of Game 1 whereby the Z in Game 1 is now 
chosen to be a random element of G 2 . This Z is used to mask the message 
Mg in the challenge ciphertext. Since Z is random, the first component of the 
challenge ciphertext is a random element of G 2 and provides no information to 
the adversary about 6. Thus, Pr[X 2 ] = 

We have the following claim. 

Claim: 

IPrpsy-Prp^lf < ^ + 

Proof: The change from Game 1 to Game 2 corresponds to an “indistinguisha- 
bility” step in Shoup’s tutorial [18] on such games. Usually, it is easy to bound 
the probability difference. In this case, the situation is complicated by the fact 
that there is a need to abort. 

We show that it is possible to obtain an algorithm B for DBDH by extending 
Games 1 and 2. The extension of both the games is same and is described as 
follows. B takes as input a tuple (P, aP, bP, cP, Z) and sets up the HIBE protocol 
as in Game 1 (The setup of Games 1 and 2 are the same). The key extraction 
queries are answered and the challenge ciphertext is generated as in Game 1. 
If at any point of time fig is set to one by the game, then B outputs a random 
bit and aborts. This is because the query cannot be answered or the challenge 
ciphertext cannot be generated using the input tuple. At the end of the game, 
the adversary outputs the guess S'. B now goes through a separate abort stage 
as follows. 
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“Artificial Abort”: The probability that B aborts in the query or challenge phases 
depends on the adversary’s input. The goal of the artificial abort step is to make 
the probability of abort independent of the adversary’s queries by ensuring that 
in all cases its probability of abort is the maximum possible. This is done by sam- 
pling the transcript of adversary’s query and in certain cases aborting. The sam- 
pling procedure introduces the extra component 0(e^ e ln(e^ e )A _1 ln(A -1 )) 
into the simulator’s runtime. (For details see [19,16].) Here A is a lower bound 
on the probability that B does not abort before entering the artificial abort stage. 
The expression for A is obtained in Proposition 3 of Section 5.1. 

Output: If B has not aborted up to this stage, then it outputs 1 if 5 = S': else 0. 

Note that if Z is real, then the adversary is playing Game 1 and if Z is random, 
then the adversary is playing Game 2. The time taken by the simulator in either 
Game 1 or 2 is clearly t + x{ e hibe)- From this point, standard inequalities and 
probability calculations establish the claim. □ 

Now we can complete the proof in the following manner. 

thibe = | Pr[X 0 ] 2 | 

< \Pr[X 0 ]-Pr[X 2 ]\ 

< \Pr[X 0 ] - Pr[X!]\ + |Pr[-Xi] - Pr[X 2 ]\ 

< Chibe tdbdh 

~ 2 + A ' 

Rearranging the inequality gives the desired result. This completes the proof of 
Theorem 1. □ 

5.1 Lower Bound on Not Abort 

We require the following two independence results in obtaining the required lower 
bound. Similar independence results have been used in [19,9,16] in connection 
with IBE protocols. The situation for HIBE is more complicated than IBE and 
especially so since we reuse some of the public parameters over different levels 
of the HIBE. This makes the proofs more difficult. Our independence results are 
given in Proposition 1 and 2 and these subsume the results of previous work. We 
provide complete proofs for these two propositions as well as a complete proof 
for the lower bound. The probability calculation for the lower bound is also more 
complicated compared to the IBE case. 

Proposition 1. Let m be a prime and L(-) be as defined in (2). Let Vj, . . . , Vj 
be identities, i.e., each Vi = (v^i, . . . , v* )Tl ), is an n-bit string. Then 

Pr[A (^fc(vfc) = 0) 
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The probability is over independent and uniform random choices of x[, .. . ,x'j, 
xi , . . . , x n from 7Z m . Consequently, for any 0 £ {1, . . . , j}, we have 


Pr 

Lo(ve) = 0 

°f\ {L k {y k ) = 0) 



k=l,kjtO 


Proof: Since 2Z,m forms a field, we can do linear algebra with vector spaces over 
7Z m . The condition Afe=i (Lj(vj) — 0) is equivalent to the following system of 
equations over 7Z m . 

x'i + v\,ix% + • • • + vi >n x n = 0 
x' 2 + V 2 ,lXl H h \/2,nXn = 0 


This can be rewritten a 


i X li • • ' i x ji x l, ■ ■ ■ , X n )A(j +n -) X (j +n -) — (0, . . . , 0)i x (j+n) 

where 

a= [vtjoizl andv? 

Ij is the identity matrix of order j; O is the all zero matrix of the specified order. 
The rank of A is clearly j and hence the dimension of the solution space is n. 
Hence, there are m n solutions in (xj , . . . , x'-, X\ , . . . , x n ) to the above system of 
linear equations. Since the variables .r', , Xj.xi, x„ are chosen indepen- 

dently and uniformly at random, the probability that the system of linear equa- 
tions is satisfied for a particular choice of these variables is m n /m n+i = 1/rn? . 
This proves the first part of the result. 

For the second part, note that we may assume 0 = j by renaming the x ,! s if 
required. Then 



Pr 


Ljivj) = 0 


X (Tfe(vfe) = 0) 


Pr 

Ai=i (ifctVfc) = 0)' 

Pr 

Afe=i (Lk( v k) = o)" 


TO*- 1 1 

TO* TO 


Proposition 2. Let to be a prime and L(-) be as defined in (2). Let v-[ , . . . , v 7 
be identities, i.e., each v, = (v^i, . . . , Vj iTl ), is an n-bit string. Let 9 £ {1, . . . , j} 
and let v' e be an identity such that v' e ^vo- Then 


Pr {LeWe) = 0) A f\ (T fe (v fe ) = 0) = T . 


The probability is over independent and uniform random choices of x[,. .. ,x'-, 
xi,. . . ,x n from 7Z m . Consequently, we have 


Pr \LeWe) = 0 \f\ (L fc (v fc ) = 0) = -. 
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Proof: The proof is similar to the proof of Proposition 1. Without loss of 
generality, we may assume that 0 = j, since otherwise we may rename variables 
to achieve this. The condition (L^(vg) = 0) A Afc=i (Lk(' J k) = 0) is equivalent to 
a system of linear equations xA = 0 over 7Z m . In this case, the form of A is the 
following. 

r c T o jx j 

[VnxifyF o nx j 

where c = (0, . . . , 0, 1); c T denotes the transpose of c and (v' ) T is the transpose 
of Vj. The first j columns of A are linearly independent. The ( j + l)th column 
of A is clearly linearly independent of the first (j — 1) columns. We have Vj ^ v' 
and m > 2, hence Vj ^ v' mod rn. Using this, it is not difficult to see that the 
first ( j + 1) columns of A are linearly independent and hence the rank of A is 
(j + 1). Consequently, the dimension of the solution space is n — 1 and there 
are m n ~ 1 solutions in {'x\ , . . . ,Xj,Xi,. . . , x n ) to the system of linear equations. 
Since the x n s and the x’s are chosen independently and uniformly at random 
from 2Z m , the probability of getting a solution is m n_1 / m"^ = 1 /m? +1 . This 
proves the first part of the result. The proof of the second part is similar to that 
of Proposition 1. □ 

Proposition 3. The probability that the simulator in the proof of Theorem 1 
does not abort before the artificial abort stage is at least X = 2 ( 4 , q (n+i)) h • 


Proof: We consider the simulator in the proof of Theorem 1. Up to the artificial 
abort stage, the simulator could abort on either a key extraction query or in the 
challenge stage. Let abort be the event that the simulator aborts before the 
artificial abort stage. For 1 < i < q, let Ei denote the event that the simulator 
does not abort on the ith key extraction query and let C be the event that the 
simulator does not abort in the challenge stage. We have 

Pr [abort] = Pr AC 

= Pr[( / \U i ) |cj Pr[(7] 

= (l-Pr[(v^j IC'JjprlC] 

> ^l-£pr[ <Ei |U;^ Pr [C\. 


We first consider the event C. Let the challenge identity be v* = (v* , v* t »). 

Event C holds if and only if Fj{y*-) = 0 mod p for 1 < j < h*. Recall that by 
choice of p, we can assume Fj{v*) = 0 mod p if and only if x'j + J2k= l x k v j,k = 
mkj. Hence, 
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Pr [C\ = Pr 


For 1 < j < h* and 0 < i < n, denote the event x'j + J/k=i x kVj,k = m, by Ajj 
and the event k :j = i by Bj,. Also, let Cjj be the event Ajj A Bj,i- 

Note that the event V"=o Ai,i ' s equivalent to x'j + x kVj,k = 0 mod m 
and hence equivalent to the condition Ljiyj) = 0. Since kj is chosen uniformly 
at random from the set {0, . . . , n}, we have Pr[B 7 / = 1/(1 + n) for all j and 
i. The events Bj / s are independent of each other and also independent of the 
Aj/s. We have 


Pr 


A 

j = l 


+ ^ XkVj,k = mh 


Pr 

a(v- 

i-i \*=o 




1 

h* 

( n \ 

Pr 

(1 + ri) h * 

M 

j= 1 



1 



Pr 

(1 + ri) h * 

A ( L 4 v ii = 0) 

j= 1 


(m(l + n )) h * 


The last equality follows from Proposition 1. 

Now we turn to bounding Pr[-i£' i |C 1 ]. For simplicity of notation, we will drop 
the subscript i from £/ and consider the event E that the simulator does not 

abort on a particular key extraction query on an identity (vj ,Vj). By the 

simulation, the event -i E implies that L,(v,j = 0 for all 1 < i < j. This 
holds even when the event is conditioned under C. Thus, we have Pr[->E\C\ < 
Pr[A \ =1 Li(\ii) = 0|C]. The number of components in the challenge identity is h* 
and now two cases can happen: 

j < h*: By the protocol constraint (a prefix of the challenge identity cannot be 
queried to the key extraction oracle), we must have a 9 with 1 < 6 < j such that 
ve + vj. 

j > h*: In this case, we choose 9 = h* + 1. 

Now we have Pr [~>E\C\ < Pr |/\ L 4 (n) = 0|c| < Pr [L 0 (v g ) = 0|C] = 1/m. 

The last equality follows from an application of either Proposition 1 or Propo- 
sition 2 according as whether j > h* or j < h*. Substituting this in the bound 
for Pr[abort] we obtain 


Pr[abort] > 


l-Y^Pr/E/C] 


Pr[C], 
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1 1 1 

(m(n + l)) h ~ 2 X (4q(n + l)) h ' 

to obtain the inequalities. This completes the 

□ 


6 Conclusion 

Waters presented a construction of IBE [19] which significantly improves upon 
the previous construction of Boneh-Boyen [3]. In his paper, Waters also described 
a method to extend his IBE to a HIBE. The problem with this construction is 
that it increases the number public parameters. In this paper, we have presented 
a construction of a HIBE which builds upon the previous (H)IBE protocols. The 
number of public parameters is significantly less compared to Waters’ HIBE. 
The main open problem in the construction of HIBE protocols is to avoid or 
control the security degradation which is exponential in the number of levels of 
the HIBE. 
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Abstract. We introduce a primitive called Hierarchical Identity- 
Coupling Broadcast Encryption (HICBE) that can be used for construct- 
ing efficient collusion-resistant public-key broadcast encryption schemes 
with extended properties such as forward-security and keyword- 
searchability. Our forward-secure broadcast encryption schemes have 
small ciphertext and private key sizes, in particular, independent of the 
number of users in the system. One of our best two constructions achieves 
ciphertexts of constant size and user private keys of size 0(log 2 T), where 
T is the total number of time periods, while another achieves both ci- 
phertexts and user private keys of size O(logT). These performances 
are comparable to those of the currently best single-user forward-secure 
public-key encryption scheme, while our schemes are designed for broad- 
casting to arbitrary sets of users. As a side result, we also formalize the 
notion of searchable broadcast encryption, which is a new generaliza- 
tion of public key encryption with keyword search. We then relate it 
to anonymous HICBE and present a construction with polylogarithmic 
performance. 

1 Introduction 

Broadcast encryption (BE) scheme [16] allows a broadcaster to encrypt a message 
to an arbitrarily designated subset S of all users in the system. Any user in S can 
decrypt the message by using his own private key while users outside S should 
not be able to do so even if all of them collude. Such a scheme is motivated 
by many applications such as pay-TV systems, the distribution of copyrighted 
materials such as CD/DVD. Public-key broadcast encryption is the one in which 
the broadcaster key is public. Such a scheme is typically harder to construct than 
private-key type ones. In what follows, we let n denote the number of all users. 

The best BE scheme so far in the literature was recently proposed by Boneh, 
Gentry, and Waters [7]. Their scheme, which is a public-key scheme, achieves 
asymptotically optimal sizes, 0(1), for both broadcast ciphertexts and user pri- 
vate keys, with the price of 0(n)-size public key. (To achieve some tradeoff, they 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 161-177, 2006. 
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also proposed a generalized scheme, of which one parametrization gives a scheme 
where both the public keys and the ciphertexts are of size The previ- 

ously best schemes [20,19,18], along the line of the subset-cover paradigm by 
Naor, Naor, and Lotspiech (NNL) [20] , can only achieve a broadcast ciphertext 
of size O(r) with each user’s private key being of size 0(log n), where r = n — |,S' 
is the number of revoked users. Although these schemes are improved in [3] by 
reducing the private key size to 0(1), the ciphertext is still of size O(r). 1 These 
NNL derivatives are originally private-key schemes. Dodis and Fazio [15] gave 
a framework to extend these schemes to public-key versions using Hierarchical 
Identity-Based Encryption (HIBE) [17]. Instantiating this framework with a re- 
cent efficient HIBE scheme by Boneh, Boyen, and Goh [5] gives a public-key 
version of NNL-based schemes without loss in performance of ciphertext sizes. 

Forward-Secure Broadcast Encryption. Unfortunately, a normal broadcast 
encryption scheme offers no security protection for any user whatsoever once 
his private key is compromised. As an extension to the normal variant in or- 
der to cope with the vulnerability against key exposure, the notion of forward 
security in the context of public-key broadcast encryption was first studied by 
Yao et al. [22]. A forward-secure public-key broadcast encryption (FS-BE) al- 
lows each user to update his private key periodically while keeping the public 
key unchanged. Such a scheme guarantees that even if an adversary learns the 
private key of some user at time period r, messages encrypted during all time 
periods prior to r remain secret. Yao et al. also proposed a FS-BE scheme achiev- 
ing ciphertexts of size 0(r log T log n) while each user’s private key is of size 
0(log 3 nlogT), where T is the maximum allowed time period. Indeed, they pro- 
posed a forward-secure HIBE scheme and then applied it to the NNL scheme in 
essentially the same manner as done by [15], as mentioned above. Later, Boneh et 
al. [5] proposed (at least two) more efficient forward-secure HIBE schemes, which 
when applying to the NNL scheme gives a FS-BE scheme with ciphertexts of size 
0(r ) and private keys of size 0(log 3 nlogT) and another FS-BE scheme with 
ciphertexts of size 0(r log T) and private keys of size 0((log 2 n)(logn + logT)). 
These schemes are the best FS-BE schemes so far in the literature. 

1.1 Our Contributions 

Towards constructing a more efficient FS-BE scheme, we introduce a new primi- 
tive called Hierarchical Identity-Coupling Broadcast Encryption (HICBE), which 
can be considered as a generalization either of BE that further includes hierarchi- 
cal-identity dimension together with key derivation functionality or of HIBE that 
further includes a user dimension together with broadcast functionality. Besides 
forward security, HICBE can be used to construct BE with other extended prop- 
erties such as keyword-searchability, which is another feature that we study as 
a side result in this paper (see below). 

1 Note that one advantage of these NNL-based schemes is that, in contrast to the BGW 

scheme, all the other efficiency parameters, beside ciphertext sizes and private key 

sizes, are also of sub-linear (in n) size. 



Forward-Secure and Searchable Broadcast Encryptic 


163 


FS-BE with Short Ciphertexts and Private Keys. Using HICBE as a 

building block, we propose at least three new FS-BE schemes. One of our best two 
schemes achieves ciphertexts of size 0(1) and user private keys of size 0(log 2 T). 
The other best scheme achieves ciphertexts of size O(logT) and user private 
keys of size O(logT). These outperform the previous schemes in terms of both 
overheads. In particular, they are independent of the parameters in the user 
dimension, namely n and r; moreover, the first scheme achieves the constant- 
size ciphertext. These performances of our schemes are comparable to those of 
the currently best single-user forward-secure public-key encryption scheme (cf. 
[5]). The public keys for both schemes are of size 0(n + logT). Analogously 
to [7], we can show that this amount can be traded off to 0(yfn + logT) with 
ciphertext size being increased to 0(^/n) and 0(^/n+logT) respectively in both 
schemes. 

Security of our systems is based on the Decision Bilinear DifRe-Hellman Ex- 
ponent assumption (BDHE), which is previously used in [7,5]. We prove the 
security in the standard model (i.e., without random oracle). 


Searchable Broadcast Encryption. Public-key BE can be applied naturally 
to encrypted file systems, which enable file sharing among privileged users over 
a public server, as already suggested in [7]. A file can be created by anyone using 
the public key and the privileged subset can be arbitrarily specified by the cre- 
ator of the file. Due to a possible large amount of databases, a user Alice might 
want to retrieve only those files that contain a particular keyword of interest 
(among all the files in which Alice is specified as a privileged user), but with- 
out giving the server the ability to decrypt the databases. Public-key Broadcast 
Encryption with Keyword Search (BEKS) allows to do exactly this. It enables 
Alice to give the server a capability (or a trapdoor) to test whether a particular 
keyword, w, is contained in any (and only) file that includes Alice as a privileged 
user. This is done in such a way that (1) the server is unable to learn anything 
else about that file, besides the information about containment of w, and (2) all 
the other users outside the privileged set cannot learn anything, in particular, 
cannot generate such a trapdoor, even if they collude. 

BEKS is a new generalization of public key encryption with keyword search 
(PEKS) [6] that we introduce in this paper. We then relate that an anonymous 
ICBE (1-level HICBE) is sufficient to construct BEKS, analogously to the rela- 
tion between anonymous IBE and PEKS [1]. 

A trivial BEKS achieving ciphertexts of size 0(n) can be constructed from the 
concatenation of PEKS-encryption of the same keyword to each privileged user. 
Our scheme achieves ciphertexts of size 0(r log n), trapdoors of size 0(log 3 n), 
and private keys of size 0(log 4 n). Before coming up with this result, we construc- 
tively hint that even using the same technique as our FS-BE schemes (where a 
non-anonymous HICBE is sufficient), it might not be easy to construct a BEKS 
scheme with both ciphertext and private key of sizes independent of n. We refer 
for most of the results in this part to the full version of this paper [2] due to 
limited space here. 
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2 Preliminaries 

Bilinear Maps. We briefly review facts about bilinear maps. We use the stan- 
dard terminology from [8]. Let G,Gi be multiplicative groups of prime order p. 
Let g be a generator of G. A bilinear map is a map e : G x G — > Gi for which 
the following hold: (1) e is bilinear; that is, for all u,v € G, a,b £ Z, we have 
e(u a ,v b ) = e(u,v) ab . (2) The map is non-degenerate: e(g,g) ^ 1. We say that 
G is a bilinear group if the group action in G can be computed efficiently and 
there exists Gi for which the bilinear map e : G x G — ► Gi is efficiently com- 
putable. Although it is desirable to use asymmetric type, e : G x G' — > Gi where 
G^G', so that group elements will have compact representation, for simplicity 
we will present our schemes by the symmetric ones. Indeed, our schemes can be 
rephrased in terms of asymmetric maps. 

Decision BDHE Assumption. 2 Let G be a bilinear group of prime order p. 
The Decision n-BDHE (Bilinear Diffie-Hellman Exponent) problem [7,5] in G is 
stated as follows: given a vector 

(<?, h, g a ,g {a 2 \ g {c * n) , g {a ” + 2 ) g (a2n \ z) e G 2 " +1 x G, 

as input, determine whether Z = e(g , h) ( -°‘ n+1 \ We denote r/,; = r/ a: ’) g G for 
shorthand. Let y g , a ,n = (<?i, • ■ • , g n ,g n + 2 , • • • , gin)- An algorithm A that outputs 
b e {0, 1} has advantage e in solving Decision n-BDHE in G if | Pr [A(g, h, y ;l . a ,n- 
e(g n +i,h)) = 0] — Pr[A(fif, h, y g , a ,n, Z) = 0] | > e, where the probability is over 
the random choice of generators g,h e G, the random choice of a 6 Z p , the 
random choice of Z € Gi, and the randomness of A. We refer to the distribution 
on the left as Vbdhe and the distribution on the right as TZbdhe- We say 
that the Decision (t, e, n)-BDHE assumption holds in G if no t-time algorithm 
has advantage at least e in solving the Decision n-BDHE problem in G. We 
sometimes drop t, e and refer it as the Decision n-BDHE assumption in G. 

3 Hierarchical Identity-Coupling Broadcast Encryption 

Model. A HICBE system consists of n users, each with index i e {1, . . . ,n}. 
In usage, a user index will be “coupled” with some additional arbitrary identity 
tuple ID = (Ii, . . . ,I Z ), for any I, in some predefined identity space 1 and any 
z = 1 ,...,£ where L is a predetermined maximum depth of tuples. The user 

1 coupling with ID, which we will refer as a node (i, ID), will possess its own 

private key djjo- If ID = (Li I z ), then for j = 1, . . . , z, let ID|j = (Ii, . . . , Iy), 

and let ID|o be the empty string e. A HICBE system enables a derivation from 

2 This holds in the generic bilinear group model with the computational lower bound of 
Q(y/p/n) on the difficulty of breaking (cf.[5]). Cheon [14] recently showed a concrete 
attack with roughly the same complexity. It is recommended to either increase p (to 
« 220-bit size for n = 2 64 to achieve 2 80 security) or use p of a special form where 
p — 1 and p + 1 have no small divisor greater than log 2 p to avoid the attack. 
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di t iD| a _i to d,; iD- In particular, d^i,) can be derived from di, the root private 
keys of i. A HICBE system enables one to encrypt a message to a set of nodes 
{(i, ID) |* g S} for arbitrary S C {1, . . . , n}, where we say that it is encrypted 
to multi-node ( S , ID). If i g S, the user i coupling with ID (who possesses (Cjd) 
can decrypt this ciphertext. When L = 1, we simply call it an ICBE. 

Formally, a HICBE system is made up of five randomized algorithms as fol- 
lows. For simplicity, we define it as a key encapsulation mechanism (KEM). 

Setup(n, L): Takes as input the number of all users n and the maximum depth 
L of the identity hierarchy. It outputs a public key pk and a master key msk. 
PrivKeyGen(i, pk, msk): Takes as input a user index i, the public key pk, and the 
master key msk. It outputs a root private key di of user i. 

Derive(pk, *, ID, Takes as input the public key pk, a user index i, an 

identity ID of depth 2, and the private key di t id,^ of user i coupling with 
the parent identity ID . ,. It outputs d,;jD- Here d h \o {J = d-,. 

Encrypt(pk, S, ID): Takes as input the public key pk, a subset S C |l,...,n}, 
and an identity tuple ID. It outputs a pair (hdr, K) where hdr is called the 
header and K g K is a message encryption key. We will also refer to hdr as 
the broadcast ciphertext. 

Decrypt(pk, S, i. d^\ d, hdr): Takes as input the pk, a subset S, a user i, the private 
key djjD of user i coupling with ID, and the header hdr. If i g S it outputs 
K g K else outputs a special symbol 

The correctness consistency can be defined straightforwardly and is omitted here. 

Confidentiality. We define semantic security of HICBE by the following game 
between an adversary A and a challenger C: both are given n,L as input. 

Setup. The challenger C runs Setup(n, L) to obtain a public key pk and the 
master key msk. It then gives the public key pk to A. 

Phase 1 . A adaptively issues queries qi , . . . , where each is one of two types: 

- Private key query (i, ID). C responds by running algorithm PrivKeyGen and 
Derive to derive the private key d, corresponding to the node (i, ID), then 
sends dijo to A. 

- Decryption query ( S , ID, i, hdr) where i g S.C responds by running algorithm 
PrivKeyGen and Derive to derive the private key djjD, corresponding to the 
node ( i , ID). It then gives to A the output from Decrypt(pk, S, i, d,;jD, hdr). 

Challenge. Once A decides that Phase 1 is over, it outputs (S*, ID*) which is 
the multi- node it wants to attack, where S* C {1, . . . , n}. The only restriction is 
that A did not previously issue a private key query for (i, ID) such that i g .S'* 
and that either ID = ID* or ID is a prefix of ID*. C then compute (hdr*, K) <— 
Encrypt(pk, S*, ID*) where K g K. Next C picks a random b g {0,1}. It sets 
Kb = K and picks a random K\-b in 1C. It then gives (hdr*, K 0 , Ki) to A. 

Phase 2. A issues additional queries q^ + 1 where each is one of two types: 

- Private key query ( i , ID) such that if i g S'* then neither ID = ID* nor ID is 
a prefix of ID*, else (i 0 S*) ID can be arbitrary. 
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- Decryption query (S, ID, i, hdr) where i £ S and S C S*. 3 The only constraint 
is that hdr ^ hdr* if either ID = ID* or ID is a prefix of ID*. 

In both cases, C responds as in Phase 1. These queries may be adaptive. 

Guess. Finally A outputs its guess b' £ {0, 1} for b and wins the game if b = b' . 

We refer to such an adversary A as an IND-alD-aSet-CCA adversary and the 
above game as the IND-alD-aSet-CCA game. Weaker notions of security can be 
defined by modifying the above game so that it is required that the adversary 
must commit ahead of time to the target subset S* or the target identity ID* 
or both. These notions are analogous to the notion of selective-identity secure 
HIBE, defined in [12,13]. We have 4 possible combinations: the game IND-xlD- 
ySet-CCA where (x,y) e {(a, a), (a, s), (s, a), (s, s)}. If (x,y) = (s, *) then it is 
exactly the same as IND-alD-aSet-CCA except that A must disclose to C the 
target identity ID* before the Setup phase. Analogously, if (x, y) = (*, s), A must 
disclose the target subset S* before the Setup phase. For only the case of (s, s), 
it is further required that the restrictions on private key queries from phase 

2 also hold in phase 1. Intuitively, s means selective while a means adaptive 
security. 

We define the advantage of the adversary A in attacking the HICBE scheme 
£ in the game IND-xID-ySet-CCA as AdvHICBE xy (£,.4) = | Pr[6 = b '] — ||, where 
the probability is over the random bits used by C and A in that game. 

Definition 1. We say that a HICBE system £ is (t,qp,qD,e)-IND-xlD-ySet- 
CCA-secure if for any t-time IND-xID-ySet-CCA adversary A that makes at most 
qp chosen private key queries and at most qo chosen decryption queries, we have 
that AdvHICBE xy (£, A) < e. We say that a HICBE system £ is ( t , qp, c)-IND-xlD- 
ySet-CPA-secure if £ is {t, qp,t), e)-IND-xlD-ySet-CCA-secure. 

Anonymity. Recipient anonymity is the property that the adversary be unable 
to distinguish the ciphertext intended for a chosen identity from another one 
intended for a random identity. We capture such a property via what we name 
ANO-xlD-ySet-CCA[Z\] notion, where A C {0, . . . , L\ indicates a set of levels that 
satisfy anonymity, with 0 corresponds to the anonymity of the set S. This is a 
generalized notion from [1]. We refer to the full paper [2] for the details . 

4 HICBE Constructions 

In this section, we give our first two HICBE constructions. A HICBE system 
must have both broadcast and hierarchical-identity-based derivation properties. 
To achieve this we will combine some techniques from the BGW broadcast en- 
cryption [7] with the BB and BBG HIBE systems by Boneh-Boyen [4] and Boneh- 
Boyen-Goh [5] respectively. The reader is encouraged to refer to the full paper [2] 
for the intuition into the design. 

3 It is WLOG that we just restrict S C S* since for S such that S g S* , one can 
a private key query for some i € S\S* and perform the decryption oneself. 
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4.1 Our First HICBE Construction Based on BGW and BB 

We first show how to combine the basic BGW scheme with the BB HIBE scheme. 
We assume that the identity space X is Z p . Thus, if ID is of depth 0 then 
ID = (1 1 1^) £ Z p z . As in [4], we can later extend the construction to arbi- 

trary identities in {0, 1}* by first hashing each I j using a collision resistant hash 
function H : {0,1}* — > Z p . We follow almost the same terminology from [7,4]. 
This scheme, denoted by BasicHICBEl, works as follows. 

Setup(n, L): Let G be a bilinear group of prime order p. It first picks a random 
generator g £ G and a random a e Z p . It computes g, = g( a "> £ G for 
i = 1, 2, . . . , n, n + 2, . . . , 2 n. Next, it picks a random 7 £ Z p and sets v = 
g 7 £ G. It then picks random elements hi , . . . , hi, £ G. The public key is: 

pk = (g,gi,.-.,g n ,g n + 2 ,---,g 2 n,v,hi,...,h L ) e G 2n+i+1 . 

The master key is msk = 7. For j = 1, . . . , L, we define Fj : Z p — > G to be 
the function: Fj( x) = gfhj. The algorithm outputs pk and msk. 
PrivKeyGen(f, pk, msk): Set a root private key for i as di = (g*) 7 = v^ a '^ £ G. 
Derive(pk, i, ID, To generate the private key for node (i, ID) where i £ 

{1, . . . , n} and ID = (I-i , . . . , l z ) £ Z p z of depth z < L, pick random elements 
0 % :i . . . ,s z £ Z p and output 

di , ID - , 9 s1 , ••• , e G z+1 . 

Note that the private key for node (i, ID) can be generated just given a 
private key for node (i, ID| 2 _ 1 ) where ID| = (Ii, . . . I 2 _i) £ Z p z_1 , as 
required. Indeed, let c/,-.id s . ; = (ao, . . . , a 2 _i) be the private key for node 
(ijID^.i). To generate djj d, pick a random s z £ Z p and output djj d = 
(a 0 - F z (I z ) Sz ,ai,...,a z -i,g s *). 

Encrypt(pk, S, ID): Pick a random t £ Z p and set K = e(g n+ i,gY. The value 
e(g n +i,g) can be computed as e(g n ,gi). Let ID = (Ii, . . . ,I 2 ). It outputs 
(hdr, K) where we let 

hdr = ( g t , jY , Fiihf , ... , F Z (I Z Y 

V MM 

Decrypt(pk, S', f, rfjjo, hdr): Parse the header as hdr = (Co,Ci,Ai,...,A z ) £ 
G z+2 . Also parse djjo = (ao, a z ) £ G z+1 . Then output 

K = e(g„C i)-n e ( A h a i) / e ( a 0 ■ n 9n+i-j+i, Co). 
j = 1 oes 

i¥=i 

The correctness verification is straightforward. The scheme inherits a good prop- 
erty of the BGW scheme: the ciphertext size and user private key size are inde- 
pendent of n. Indeed, when we let I D = e, the corresponding algorithms become 
those of the basic BGW scheme. 
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Theorem 1 . Let G be a bilinear group of prime order p. Suppose the Decision 
( t , e, n)-BDHE assumption holds in G. Then the BasicHICBEl system for n users 
and maximum depth L is ( t qp, e)-IND-slD-sSet-CPA-secure for any n, L, qp, and 
t' <t — Q(T exp Lqp) where T exp is the maximum time for an exponentiation in G. 

The security proof, although vaguely resembles those of BGW and BB, is not 
straightforward as we have to simulate both sub-systems simultaneously. In- 
tuitively, the implicit “orthogonality” of BGW and BB allows us to prove the 
security of the combined scheme. We omit it here (and refer to [2]) and will focus 
on a similar but somewhat more interesting proof of the second scheme. 

4.2 Our Second HICBE Construction Based on BGW and BBG 

Our method of integrating the BGW system can also be applied to the BBG 
HIBE scheme analogously to the previous integration. In contrast, this time we 
achieve a feature of “reusing” the public key from the BGW portion to be used 
for the BBG portion. Consequently, the resulting scheme has exactly the same 
public key as the BGW scheme except for only one additional element of G. 

We will assume that L <n, otherwise just create dummy users so as to be so; 
a more efficient way will be discussed in the next subsection. As usual we can 
assume that X is Z p . The scheme, denoted by BasicHICBE2, works as follows. 

Setup(n, L): The algorithm first picks a random generator g £ G and a random 
a £ Z p . It computes gi = e G for * = 1, 2, . . . , n, n + 2, . . . , 2n. Next, it 
randomly picks y £ G, 7 £ Z p and sets v = r / 7 € G. The public key is: 

P k = ( 9 , Si, • • • , 9n, 9n+2, ■ ■ ■ , g 2 n,V,y) £ G 2n+2 . 

The master key is msk = 7 . It outputs (pk, msk). For conceptual purpose, let 
hj = g n+ i_j for j = 1, . . . , L; intuitively, the hj terms will be used to visually 
indicate the BBG portion, while the g :j terms are for the BGW portion. 
PrivKeyGen(f, pk, msk): Set a root private key for i as di = (gi) 1 = v £ G. 
Derive(pk, i, ID, (/;jd ,..,): To generate the private key for node ( i , ID) where i £ 
...,»} and ID = (Ii, . . . , I z ) e Z p z of depth z < L, pick a random element 
s £Z P and output 

di , id = ((ffi ) 7 • (hi 1 ■ ■ ■ h\ z ■ y) s , g s , h s z+1 , , h s L ^j £ G 2+L ~ z . 

Note that the private key for node (i, ID) can be generated just given a 

private key for node (i, ID| 2; _ 1 ) where ID|,_! = (h h 1 ) e Z p z ~ x , as 

required. Indeed, let di,iD|*_i = (ao, 0.1 ,b z , . . . , bif) be the private key for 
node (*, I D | :i _ ! ) . To generate di,\ d, pick a random S £ Z p and output dj.io = 
^ao • b\ z ■ (hi 1 ■ ■ ■ h\ z ■ y) 5 , ai • g s , b z+ 1 • h s z+1 , . . . , • h 5 L ^j . This key 
has a proper distribution as a private key for node («, ID) with the ran- 
domness s = s' + 5 £ Z p , where s' is the randomness in di,\o iz _ 1 - Note that 
the private key di ,\ d becomes shorter as the depth of ID increases. 
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Encrypt(pk, S, ID): Pick a random i f Z r and set K = e{g n+ i,g) t . The value 
e(g n+ i,g) can be computed as e(g n ,gi). Let ID = It outputs 

(hdr, K) where we let 

hdr = J g\ (v • g n +i-jf , {h\ l ■■■$* • yf 
\ jes 

Decrypt(pk, S, i, d it \o, hdr): Let hdr = (Co, C\, Cf) € G 3 and let djj d = (ao,oi, 
b z . |_i, bi) e G 2+i_2 . Then output 

K = e(gi, Ci) • e(C2, ai) / e(a 0 ■ ]^[ g n+ i-j + i, Co). 

jes 

i¥=i 

The scheme inherits good properties from both the BGW scheme: the ciphertext 
size and user private key size are independent of n, and the BBG scheme: the 
ciphertext size is constant. One difference from the BBG system is that we let the 
hj terms be of special forms, namely hj = £/n+i-,?. instead of random elements 
in G as in [5] . This allows us to save the public key size since those gj terms are 
already used for the BGW system. Indeed, suppose that the BGW BE system has 
been already established, it can be augmented to a HICBE version by just once 
publishing one random element, namely y £ G, as an additional public key. Note 
that defining hj terms in this way is also crucial to the security proof. We prove 
the security under the Decision n-BDHE assumption. This strong assumption is 
already necessary for both the (stand-alone) BGW and BBG systems. 4 
Theorem 2 . Let G be a bilinear group of prime order p. Suppose the Decision 
(t, e, n)-BDHE assumption holds in G. Then the BasicHICBE2 scheme for n users 
and maximum depth L is (t' ,qp,e)-IND-slD-sSet-CPA-secure for arbitrary n,L 
such that L <n and qp, and any t' <t — Q(r exp Lqp ) where r exp is the maximum 
time for an exponentiation in G. 

Proof. Suppose there exists an adversary, A, that has advantage e in attacking 
the HICBE scheme. We build an algorithm B that solves the Decision n-BDHE 
problem in G. B is given as input a random n-BDHE challenge (g, h, y g , a ,m Z), 
where y g , a ,n = (ffi, • ■ • , g n ,g n + 2, • • . , g^n) and Z is either e(g n+ i,h) or a random 
element in Gi (recall that gj = </°C). Algorithm B proceeds as follows. 

Initialization. The selective (identity, subset) game begins with A first out- 
putting a multi-node (S*, ID*) where S* C {1, . . . , n} and ID* = (I*, . . . , I*) e 
Z p z of depth z < L that it intends to attack. 

Setup. To generate pk, algorithm B randomly chooses u, o £ Z p and sets 

V = 9 U ‘ ( II .9n+l-j) _1 , y = 9 a ■ n Sn+l-j- 

jes * j = 1 

4 It was later shown in [5, full] that a truncated form of Decision n-BDHE, namely the 
Decision n-wBDHT, indeed suffices for BBG. This assumption is defined exactly the 
same as the former except that we change the vector y g , a ,n to yg, a ,» := (ffi, ■ - - , 9n)- 
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It gives A the pk = (g, y, ha , n . i v, y). Since g,a,u,a are chosen randomly and 
independently, pk has an identical distribution to that in the actual construction. 

Phase 1 . A issues up to qp private key queries. Consider a query for the private 
key corresponding to node (i , I D) , of which I D = (R , . . . , I,,,) € Z p w where w < L. 
We distinguish two cases according to whether i is in S* or not. 

If i £ S* then B responds to the query by first computing a root private key di 
from which it can then construct a private key cRi d for the request node (i, ID). 
In this case, B computes di as di = gf ■ (n. /e s* <? n +i-j+i) _1 - Indeed, we have 

di = (S“(rijes* 5n+i-i) _1 ) (a,) = v{ot '\ as required. 

If i £ S* then from the restriction of the private key query, it must be that ID 
is neither ID* nor any prefix of ID*. We further distinguish two cases according 
to whether ID* is a prefix of ID or not. 

Case 1: ID* is not a prefix of ID. Then there must exist k < z such that it is the 
smallest index satisfying R ^ I %. B responds to the query by first computing 
a private key for node (*,ID| fc ) from which it then constructs a private key 
for the request node (i, ID). B picks random elements s € Z p . We pose s = 
s + a k / (I*, — IJj). Note that s is unknown to B. Next, B generates the private key 

(a 0 , ai ,b k+1 , ...,b L )= (>’> • (h\' • • • h 1 * ■ y) s , g* , h% +1 , .... hfy (1) 

which is a valid random private key for node (*, ID^) by definition. We show that 
B can compute all elements of this private key given the values that it knows. 
Recall that hj = g n +i-j- To generate ao, we first assume that k < z, and observe 

a ° = ( II 9n+l-j+i) (9 a n 9n+l-j -dn+l-k ' H 9~+ 1-jY 

jes* j = l j-k+i 



T 3 


The term T\ can be computed by B since 



where the unknown term g n +\ is canceled out. The term T 2 can be computed by 
using gk, which is not g n +i since k < z < L <n. Each term in the product T3 is 

computable since g^ +1 _j = g^+i-j ■ Qn+i-j+l an< l f° r j = k~ I ,z, the terms 

g n+ i_j, g n+ i_j + k are not equal to g n + 1 hence can be computed. It is left to 
consider the case k = z. In this case, ao is exactly the same as above except that 
the last product term, i.e., T3, does not appear. The analysis of computability 
by B thus follows from the same argument. 

The component a\ can be generated since a\ = g s = g s ■ g\!^ lk lk \ For 
j = k+ l....,L, the value bj can be computed as bj = h* = h* ■ 
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Case 2: ID* is a prefix of ID. Then it holds that z+1 < w. B responds to the query 
by first computing a private key for node (i, ID| z+ i) from which it then construct 
a private key for the request node ( i , ID). B picks random elements s £ Z p . We 
pose s = s + a z+1 /l z+ \. Note that s is unknown to B. Next, B generates the 
private key in exactly the same form as Eq.(l) (change k to z + 1, of course). 
From a similar observation as above, one can show that B can compute this key. 

Challenge. To generate the challenge, B computes hdr* as (h, h u , h cr ). It then 
randomly chooses a bit b £ {0, 1} and sets Kt, = Z and picks a random in 
Gi. B then gives (hdr*, K 0 , K\) to A. 

We claim that when Z = e(g n+ i,h) (that is, the input to B is a n-BDHE 
tuple) then (hdr*, Kq, K\) is a valid challenge to A as in a real attack game. To 
see this, write h = g l for some (unknown) t £ Z p . Then, we have that 

h u = (g u Y = ( g u ( 5n+ i_ j )- 1 ( gn+i-j)Y = {v n 9n+l-j)\ 

jes * ii s* jes* 

= ( n 94+1-3 • (9 a ■ n 9n+i -j)) = (fh 1 ■ yf. 

j=l j=l 

Thus, by definition, (h, h v . h a ) is a valid encryption of the key e(g n +i ■ (j f ■ Also, 
e(g n +i , g)*' = (‘(fjri+i i h) = Z = Kb and hence (hdr*, Kq , K\) is a valid challenge. 

On the other hand, when Z is random in Gi (that is, the input to B is a 
random tuple) then Kq,K\ are just random independent elements of Gi. 
Phase 2. A continues to ask queries not issued in Phase 1. B responds as before. 
Guess. Finally, A outputs b' £ {0, 1}. If b = b' then B outputs 1 (meaning 
Z = e(g n+ i,h)). Otherwise, it outputs 0 (meaning Z is random in Gi). 

We see that if (g, h, y g , a ,m Z) is sampled from IZbdhe then Pr [B(g, h , y g , a ,n , 
Z) = 0] = 7j. On the other hand, if (g, h. y g , a ,n, Z) is sampled from Vbdhe then 
| Pr [B(g, h, y g , a ,n, Z) = 0] — \\ > e. It follows that B has advantage at least e in 
solving n-BDHE problem in G. This concludes the proof of Theorem 2. □ 

4.3 Extensions 

Modification. Recall that for BasicHICBE2 when L > n, we created dummy 
users so that the effective number of users is L. The resulting pk contained 2L+2 
elements of G. We now give a more efficient scheme in this case (L > n). First, 
we change ‘n’ in all appearances in the description of BasicHICBE2 to ‘L’ except 

that the user indexes are as usual: {1, n}. Then we modify the public key to 

pk = (g,gi,. . . , gL, 9 L+ 2 , ■ ■ ■ , 9l+u > v, y) £ G i+n+2 , which is of smaller size than 
that of the above method. This modified scheme is secure under the Decision 
L-BDHE assumption. However, it can be shown to be secure under a weaker one 
which is a new assumption that we call Decision ( L , n)-BDHE. (Two values are 
specified instead of only one). It is defined exactly the same as the Decision L- 
BDHE except that we change y g , a ,L to y g ^ L , n ) ■= {9u ■ ■ ■ , 9l,9l+ 2 , • • • , 9L+n)- 

Generalizations. Without going into details, we can also combine the BGW 
system with the Hybrid BB/BBG scheme [5, full §4.2], which can trade off the 
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public key and private key sizes with the ciphertext size. We denote this scheme 
by BasicHICBE(cu) for parameter u> G [0, 1]. It becomes BasicHICBEl when uj = 1 
and BasicHICBE2 when u = 0. In this scheme, the public key, the private key, 
and the ciphertext contains L u + max(L 1_a ’, n) + n + 1, < L 1- “ + L u + 1, and 
< L^+2 elements in G respectively. It can also be further generalized in the other 
dimension, namely the user dimension, in the same manner as the generalized 
BGW scheme [7], which can trade off the public key size with the ciphertext 
size while the private key size remains fixed. In the resulting scheme, denoted by 
GenHICBE(u), /i), for /j G [0, 1], the public key, the private key, and the ciphertext 
contains L u + max(L 1-w , n^) + + n 1-M , < L 1-w + L u + 1, < L u + n 1_/1 + 1 

elements in G respectively. Note that it becomes BasicHICBE(w) when /j, = 1. 

Chosen- Ciphertext and Adaptive-ID Security. We use the conversion due 
to Canetti et al. [13] or its derivatives [9,10] (adapted to the case of HICBE 
appropriately) to obtain IND-sID-sSet-CCA-secure schemes. An IND-alD-sSet- 
CCA-secure scheme can be constructed by combining the BGW system with 
Waters’ HIBE [21] in essentially the same way as our previous two schemes. 

5 Forward- Secure Public-Key Broadcast Encryption 

Model for FS-BE. The syntax of a forward-secure public-key broadcast encryp- 
tion (FS-BE) scheme is introduced in [22]. Following [7], for simplicity we define it 
as a KEM. A key-evolving broadcast encryption is made up of six randomized al- 
gorithms. Via (pk, msko) <— Setup(n, T), where n is the number of receivers and T 
is the total number of time periods, the setup algorithm produces a public key pk 
and an initial master private key msko; via msk, T <— MasUpdate(pk, r, msk T _i) 
the master key update algorithm outputs a new private key msk, T of user i 
for time period r; via sk iiT <— Regist(i, r, pk, msk T ) the center outputs a pri- 
vate key skj iT of user i for time period r; via sk iiT <— Update(pk, i, r, sk, iT _i) 
the user i updates his private key to sk iiT for the consecutive time period; 
via (hdr,A) <— Encrypt(pk, S, r), where S is the set of recipients, a sender 
outputs a pair (hdr, K), a header and a message encryption key; via K £■ 
Decrypt(pk, S, f,sk iiT , hdr) a recipient i G S outputs K G 1C. A scheme is cor- 
rect if (1) when pk, msk T , sk ijT _i are correctly generated, the distributions of 
private keys output from Regist(i, r, pk, msk T ) and from Update(pk, i. t , sk ( T _ 1 ) 
are the same; (2) Encrypt and Decrypt are consistent (in the standard way). 

Security Notions. We define semantic security of a key-evolving BE in essen- 
tially the same way as in the case of HICBE system. Such a notion is introduced 
by Yao et al. [22]. We reformalize and briefly state it here. (See the full paper [2] 
for details). We define eight combinations of notions called IND-xFS,-ySet-CCA 
security where (x, y) G {(a, a), (a, s), (s, a), (s, s)}, corresponding to whether the 
target time r* and/or the target set of recipients S* must be disclosed before 
the Setup phase or not, and i G {1,2}, where when i = 2 the adversary is al- 
lowed to ask also master key queries for msk T of time r while when * = 1 it 
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is not. Note that the notion in [22] corresponds to IND-aFSi-aSet-CCA security. 
We note that a I N D-sFS j-ySet-CC A-secure scheme is also secure in the sense 
I N D-a FS t -ySet-CCA, albeit with the security degradation by factor T. For most 
applications, FSi security is sufficient. In this case, it is useful to consider the 
MasUpdate as a trivial algorithm as we let msk T = msko for all r (and denote it 
by msk). Note that it is trivial to convert a scheme with FSi security to a new 
one achieving FS 2 security by letting msk T contains all user keys of time r. 

Conversion C [FIICBE=>FS-BE]. Given a HICBE scheme, we construct a FS- 
BE scheme using the “time tree” technique of [12], which was used to construct 
a forward-secure encryption from a binary tree encryption. Our conversion is 
essentially the same as that of [12] except that the user dimension is introduced. 

For a forward-secure BE with T time periods, we image a complete balance 
binary tree of depth L = log 2 (T + 1) — 1. Let each node be labeled with a string 
in {0, 1}- L . We assign the root with the empty string. The left and right child 
of w is labeled wO and wl respectively. From now, to distinguish the abstract 
‘node’ of a HICBE system from nodes in the binary tree, we refer to the former as 
h-node and the latter as usual. Following the notation in [12], we let w T to be the 
r-th node in a pre-order traversal of the binary tree. 5 WLOG, we assume that 
0,1 6l, the identity space. Hence, we can view a binary string of length z < L 
as an identity tuple of length 2 . Encryption in time r for a set S of recipients 
uses the encryption function of the HICBE scheme to the multi- node (S,w T ). 
At time r the private key also contains, beside the private key of h-node (i, w T ) 
of the HICBE scheme, all the keys of h-nodes (i, y) where y is a right sibling of 
the nodes on the path from the root to w T in the binary tree. When updating 
the key to time r + 1, we compute the private key of h-node (i. w T+1 ) and erase 
the one of ( i,w T ). Since w T+1 is a left child of w T or one of the nodes whose 
keys are stored as the additional keys at time r, the derivation can be done, in 
particular, using at most one application of Derive. We denote this conversion 
as C(-) and write its formal description and its security proof in [2]. 

Theorem 3. Suppose that the scheme HICBE for L levels is (t,qp,qo,e)-IND- 
xlD-ySet-CCA-secure (resp., (t, qp, e)-IND-xlD-ySet-CPA-secure) for some (x, y) £ 
{(a, a), (a, s), (s, a), (s, s)}. Then the scheme C(HICBE)forT time periods is ( t , q' P , 
qo, e)-IND-xFSi-ySet-CCA-secure (resp., ( t , q' p , e)-IND-xFSi-ySet-CPA-secure) for 
Qp < qp/L, where L = log(T + 1) — 1. 

Resulting FS-BE Schemes. It is easy to see that in the resulting scheme, the 
private key size is expanded by the factor 0(log T) while the other parameters are 
unchanged from the original HICBE scheme (instantiated for log(T + 1) — 1 levels 
of identities). We have that the C(BasicFIICBEl) scheme achieves ciphertext of 
size O(logT) and user private keys of size 0(log 2 T) while the C(BasicHICBE2) 
scheme achieves ciphertexts of size 0(1) and user private keys of size 0(log 2 T). 

We also directly construct a more efficient but specific FS-BE scheme, denoted 
by DirFSBE, which is not built via the generic conversion. It can be considered as 

5 The pre-order traversal is started from the root, w 1 = e. From w it goes to wO if w 

is not a leaf otherwise it goes to vl if vO is the largest string that is a prefix of w. 
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Table 1. Comparison among previous and our FS-BE schemes (upper and lower table 
resp.). T = |total time periods|. n = | all users|. r = |revoked users|. The time com- 
plexity is expressed in terms of number of operations where [e] is exponentiation, [p] is 
bilinear pairing, and [m] is group multiplication, while [o] indicates the time complexity 
for some other process. ‘4=’ means that it has the same value as the entry on its left. 


Paramsf 

GS(nnl) Xyfdl GS 
[22] 

BBG (N nl) Xyfdl BBG 
[5, full §5.2] 

BBG ( nnl) TbbgBB 
[5, full §C] 

Reg time 

0(log 3 nlogT) [e 



4= 

0((log 2 n)(log n + log T)) [e] 

Enc time 

0(r log n logT) [e 





0(r (log n + log T)) [e] 

Dec time 

0(log nlogT) [p] + O(r) [o 


<^= 


O(logT) [p] + O(r) [o] 

Upd time 

0(log 3 n) [e] 



4= 


0(log 2 nlogT) [e] 

|Pub key| 

0(log n + log T) 



4= 


4= 

|Pri key| 

0(log 3 nlogT) 



4= 

0((log 2 n)(logn + logT)) 

| Cipher | 

0(r log n log T) 



0(r) 


O(rlogT) 

Paramsf 

C(BasicHICBEl) 

DirFSBE 

C(BasicHICBE2) 

C(GenHICBE(0.5, 0.5)) 

Reg time 

O(logT) [e] 

4= 



O(VlogT) [ej 

Enc time 

0(n)[m] + 0(logT) [e 

<^= 



0(y/n) [m] + O(VlogT) [e] 

Dec time 

0(n)[m] 6 +0(logT)[ P ; 

<^= 

0(n) [m] 6 +0(l) [p 

0(y/n) [mj +0(VlogT) [pj 

Upd time 

0(1) [e] 

<^= 

<^= 


<^= 

|Pub key| 

0(n + log T) 

4= 



0{s/n + VlogT) 

|Pri key| 

0(log 2 T) 

O(logT) 

0(log 2 T) 


0(log 15 T) 

j Cipher | 

O(logT) 

4= 

0(1) 


0(^+VfogT) 


a redundancy-free version of C(BasicHICBEl) which can reduce private key size 
to 0(log T) without affecting other parameters. This can be seen as a reminiscent 
of the “Linear fs-HIBE” scheme in [5, full §C]. Its generalized scheme, denoted 
by DirFSBE(/i), can be constructed as in §4.3. It trades off the public keys of 
size 0(71^ + n 1-M + logT) with the ciphertexts of size 0(n 1-M + logT). 

Efficiency Comparisons. We draw comparisons among FS-BE schemes by 
wrapping up in Table 1. We name the three previous schemes intuitively from 
their approaches, where ‘x YF dl’ is the “cross-product” approach by Yao et al. [22], 
‘T B bg’ is the orthogonal integration approach by Boneh et al. [5, full §C], and 
the two operands indicate the underlying HIBEs, which include GS (the Gentry- 
Silverberg HIBE [17]), BB, and BBG. (See more details in [2]). 

6 Public-Key Broadcast Encryption with Keyword 
Search 

6.1 Definitions and Relation to Anonymous ICBE 

Model for BEKS. A public-key BE with keyword search (BEKS) consists 

of four algorithms. Via (pk, (ski, . . . , sk n }) ' Setup(n) the setup algorithm 

6 This is due to the computation of JJj eS 9n+i-j+i, which indeed can 
computed. This is useful when S is incrementally changed (cf. [7]). 
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produces a public key and n user keys; via C BEKS(pk, S, w) a sender encrypts 
a keyword w to get a ciphertext (C, S ) intended for recipients in SC {I , n}: 
via tj iW Td(i,w,skj) the receiver i computes a trapdoor (t iiW ,i) for keyword 
w and provides it to the gateway (the server); via 6 <— Test(pk, i, t i)W , C, S) for 
i € S the gateway can test whether C encrypts w where 6=1 means “positive” 
and 6 = 0 means “negative”. Here if * ^ S it always outputs We describe 
the right-keyword consistency (correctness), the computational consistency (in 
the sense of [1]), and the security notion, which we name IND-xKW-ySet-CPA, 
in the full paper [2]. The security captures the property that the adversary be 
unable to distinguish the encryption of chosen keyword with a random one. 

Conversion K [ICBE=>BEKS].The conversion of [1] that compiles any anony- 
mous IBE into a PEKS can be generalized to a broadcast version straightforwardly. 
More concretely, we construct BEKS from ICBE as follows. Setup BEKS (n) can be 
constructed from Setup| CBE and PrivKeyGeri| CBE by relating the same public key 
pk and relating the private key sk, = d, . The remaining algorithms work as fol- 
lows: t hW 4 Td(*,w,skj) = Derivei C BE(*,w, di); (Ct,C 2 ) ^ BEKS(pk,S,w) = 
Encrypt| CBE (pk, S', w); Test(pk, i. i w , (Ci, C 2 ), S) outputs if % £ S, else outputs 1 
if Decrypt| CBE (pk, S, i, i w , C\) = C 2 , else outputs 0. Denote this conversion by K(-). 
Its correctness is immediate from that of ICBE. Indeed, £,. w . Ci,C 2 are related to 
dj )W , hdr, K in the ICBE scheme respectively. We remark that our conversion is a 
little bit different from (and simpler than) that of [1], in particular, since we have 
formalized the ICBE as a KEM. 

Theorem 4. (Informal) If the scheme ICBE is ANO-xlD-ySet-CPA[{l}]-secure, 
then the BEKS scheme K(ICBE) is IND-xKW-ySet-CPA-secure. Further, if ICBE 
is semantically secure, then K(ICBE) is computationally consistent. 

6.2 Constructing Anonymous (H)ICBE 

Attempts. As one may expect, the first attempt is to use our integration 
method to combine the BGW system with the anonymous HIBE, BW, by Boyen- 
Waters [11], which has a BB/BBG-like structure. Somewhat surprisingly and un- 
fortunately, the resulting HICBE scheme is not ANO-sID-sSet-CPA-secure. Es- 
sentially, this is precisely due to the implicit orthogonality of BGW and BW. 
Such a property enables any user i £ S* to use the independent part of pri- 
vate keys corresponding to the BW portion to easily distinguish whether a 
ciphertext is intended for (S'*, ID*) or ( S*,R ) for random R, thus breaking 
anonymity. Dilemmatically, on the one hand, this orthogonality enables us to 
prove the confidentiality of the combined scheme; on the other hand, this very 
property gives an attack to the anonymity. We also remark that the approach 
BB (NNL) _L bbg BW and BBG(nni_) T BB c BW (where notations are borrowed from the 
end of §5) also do not preserve the anonymity of BW due to a similar reason. 
See details in [2]. 


The Construction. From the above discussion, it is then natural to imple- 
ment both the broadcast and identity dimensions from two non-orthogonal sub- 
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systems. Therefore, we construct our scheme in [2], denoted by AnonHICBE, from 
the YFDL (cross-product) approach instantiated to two copies of the BW hierar- 
chies, or in our terminology, BW( N ni_) x YFD lBW. 7 The resulting anonymous ICBE 
system achieves ciphertext of size 0(r log n) and private key of size 0(log 4 n) for 
the user level (level 0) and private key of size 0(log 3 n) for level 1. These translate 
to the sizes of ciphertext, private key, and trapdoor in BEKS respectively. 
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Abstract. It has been demonstrated by Bellare, Neven, and Namprem- 
pre (Eurocrypt 2004) that identity-based signature schemes can be 
constructed from any PKI-based signature scheme. In this paper we con- 
sider the following natural extension: is there a generic construction of 
“identity-based signature schemes with additional properties” (such as 
identity-based blind signatures, verifiably encrypted signatures, ...) from 
PKI-based signature schemes with the same properties? Our results show 
that this is possible for great number of properties including proxy sig- 
natures; (partially) blind signatures; verifiably encrypted signatures; un- 
deniable signatures; forward-secure signatures; (strongly) key insulated 
signatures; online/offline signatures; threshold signatures; and (with 
some limitations) aggregate signatures. 

Using well-known results for PKI-based schemes, we conclude that 
such identity-based signature schemes with additional properties can 
be constructed, enjoying some better properties than specific schemes 
proposed until know. In particular, our work implies the existence of 
identity-based signatures with additional properties that are provably 
secure in the standard model, do not need bilinear pairings, or can be 
based on general assumptions. 

1 Introduction 

Digital signatures are one of the most fundamental concepts of modern cryp- 
tography. They provide authentication, integrity and non-repudiation to digital 
communications, which makes them the most used public key cryptographic tool 
in real applications. In order to satisfy the needs of some specific scenarios such 
as electronic commerce, cash, voting, or auctions, the original concept of digital 
signature has been extended and modified in multiple ways, giving raise to many 
kinds of what we call “digital signatures with additional properties”, e.g. blind 
signatures, verifiably encrypted signatures, and aggregated signatures. 

Initially, all these extensions were introduced for the standard PKI-based 
framework, where each user generates a secret key and publishes the matching 
public key. In practice, digital certificates linking public keys with identities of 
users are needed to implement these systems, and this fact leads to some draw- 
backs in efficiency and simplicity. For this reason, the alternative framework of 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 178-193, 2006. 
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identity-based cryptography was introduced by Shamir [29]. The idea is that the 
public key of a user can be directly derived from his identity, and therefore digi- 
tal certificates are avoidable. The user obtains his secret key by interacting with 
some trusted master entity. In his paper, Shamir already proposed an identity- 
based signature scheme. In contrast, the problem of designing an efficient and 
secure identity-based encryption scheme remained open until [6,28]. 

From a theoretical point of view, results concerning identity-based encryption 
schemes are more challenging than those concerning identity-based signatures 
(IBS) . In contrast to the identity-based encryption case it is folklore that a stan- 
dard PKI-based signature scheme already implies an identity-based signature 
scheme by using the signature scheme twice: for generating user secret keys and 
for the actual signing process. More precisely, the user secret key of an identity 
consists of a fresh PKI-based signing/verification key and a certificate proving the 
validity of the signing key. The latter certificate is established by the master entity 
by signing (using the master signing key) the new verification key together with 
the user’s identity. In the actual identity-based signing process the user employs 
this signing key to sign the message. The identity-based signature itself consists 
of this signature along with the certificate and the public verification key. 

The above idea was formalized by Bellare, Neven, and Namprempre in [3], 
where they propose a generic and secure construction of identity-based signature 
schemes from any secure PKI-based signature scheme. However, some specific 
identity-based signature schemes have been proposed and published, mostly em- 
ploying bilinear pairings and random oracles, without arguing if the proposed 
schemes are more efficient than the schemes resulting from the generic construc- 
tion in [3]. In fact, in many papers the authors do not mention the generic 
approach from [3] and in spite of Shamir’s work from more than two decades 
ago [29] it still seems to be a popular “opinion” among some researchers that the 
construction of identity-based signatures inherently relies on bilinear pairings. 

Our observation is that the situation is quite similar when identity-based 
signature schemes with additional properties are considered. Intuitively such 
schemes may be obtained using the same generic approach as in the case of 
standard identity-based signatures combining a digital certificate and a PKI- 
based signature scheme with the desired additional property. To the best of 
our knowledge, this intuitive construction was never mentioned before, nor has 
a formal analysis been given up to now. Furthermore, specific identity-based 
signature schemes with additional properties keep being proposed and published 
without arguing which improvements they bring with respect to the possible 
generic certificate-based approach. Nearly all of these papers employ bilinear 
pairings and the security proofs are given in the random oracle model [5] (with 
its well-known limitations [9]). 

1.1 Our Results 


In this work we formally revisit this intuitive idea outlined in the last paragraph. 
Namely, if S is a secure PKI-based signature scheme and PS is a PKI-based sig- 
nature scheme with some additional property P, we pursue the question if for a 



180 


D. Galindo, J. Herranz, and E. Kiltz 


certain property T the combination of those two signature schemes can lead to 
a secure IBS scheme IT-TS enjoying the same additional property T. We can 
answer this question to the positive, giving generic constructions of signature 
schemes with the following properties: proxy signatures (PS); (partially) blind 
signatures (BS); verifiably encrypted signatures (VES); undeniable signatures 
(US); forward-secure signatures (FSS); strong key insulated signatures (SKIS); 
online/offline signatures (OOS); threshold signatures (TS); and aggregate signa- 
tures (AS). 1 

Implications. By considering well-known results and constructions of PKI- 
based signatures TS with the required additional properties, we obtain identity- 
based schemes KBJPS from weaker assumptions than previously known. A 
detailed overview of our results can be looked up in Table 1 on page 183. To 
give a quick overview of our results, for nearly every property T listed above, we 
obtain (i) the first ITJPS scheme secure in the standard model (i.e., without ran- 
dom oracles); (ii) the first KB-TS scheme built without using bilinear pairings; 
and (iii) the first ITJPS based on “general assumptions” (e.g. on the sole as- 
sumption of one-way functions), answering the main foundational question with 
regard to these primitives. Our results therefore implicitly resolve many “open 
problems” in the area of identity-based signatures with additional properties. 
Generic Constructions. For some properties T the construction of the 
scheme ITJPS is the same as in [3] and a formal security statement can be 
proved following basically verbatim the proofs given in [3]. But as the limita- 
tions of the generic approach indicate, this approach does not work in a black-box 
way for every possible property T. For some special properties the certificate- 
based generic construction sketched above has to be (non-trivially) adapted to 
fit the specific nature of the signature scheme. This is in particular the case for 
blind and undeniable signatures and hence in these cases we will lay out our 
constructions in more detail. 

Discussion. We think that in some cases the constructions of identity-based sig- 
natures with additional properties implied by our results are at least as efficient 
as most of the schemes known before. However, because of the huge number of 
cases to be considered, we decided not to include a detailed efficiency analysis 
of our generic constructions. Note that, in order to analyze the efficiency of a 
particular identity-based scheme resulting from our construction, we should first 
fix the framework: whether we admit the random oracle model, whether we allow 
the use of bilinear pairings, etc. Then we should take the most efficient suitable 
PKI-based scheme and measure the efficiency of the resulting identity-based one. 
Our point is rather that this comparison should be up to the authors propos- 
ing new specific schemes: the schemes (explicitly and implicitly) implied by our 
generic approach should be used as benchmarks relative to which both, existing 
and new practical schemes measure their novelty and efficiency. 


We stress that the length of our implied aggregated identity-based signatures is still 
depending linearly on the number of different signers (optimally it is constant) and 
therefore our results concerning AS are not optimal. 
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We stress that we do not claim the completely novelty of our generic ap- 
proaches to construct identity-based signatures with additional properties. Sim- 
ilar to [3] we rather think that most of these constructions can be considered 
as folklore and are known by many researchers. However, the immense number 
of existing articles neglecting these constructions was our initial motivation for 
writing this paper. We think that our results may also help better understanding 
IBS. To obtain a practical IBS with some additional properties the “standard 
method” in most articles is to start from a standard IBS and try to “add in” 
the desired additional property. Our results propose that one should rather start 
from a standard signature scheme with the additional property and try to make 
it identity-based. We hope that the latter approach may be used to obtain more 
efficient practical schemes. 

2 Definitions 

Standard Signatures. A standard signature scheme S = (S.KG, S.Sign, S.Vfy) 
consists of the following three (probabilistic polynomial-time) algorithms. The 
key generation algorithm S.KG takes as input a security parameter k and 
returns a secret key SK and a matching public key PK. We use the notation 
( SK,PK ) <— S.KG(l fc ) to refer to one execution of this protocol. The signing 
algorithm S.Sign inputs a message to and a secret key SK. The output is a 
signature sig SK (m). We denote an execution of this protocol as sig SK (m) <— 
S.Sign(5A, to). The verification algorithm S.Vfy takes as input a message to, a 
signature sig = sig SK (m) and a public key PK. The output is 1 if the signature 
is valid, or 0 otherwise. We use the notation {0, 1} <— S.Vfy (PK. to, sig) to refer 
to one execution of this algorithm. 

The standard security notion for signature schemes in unforgeability against 
adaptively-chosen message attacks, which can be found in [19,17]. 
Identity-Based Signatures. An identity-based signature scheme IfBJ> = 
(IB_S.KG, IB_S.Extr, IB_S.Sign, IB_S.Vfy) consists of the following four (probabilis- 
tic polynomial-time) algorithms [10]. The setup algorithm IB_S.KG takes as in- 
put a security parameter k and returns, on the one hand, the system public 
parameters mpk and, on the other hand, the value master secret key msk, which 
is known only to the master entity. We note an execution of this protocol as 
(mpk, msk) <— IB_S.KG(l fe ). The key extraction algorithm IB_S.Extr takes as 
inputs mpk, the master secret key msk and an identity id £ {0, 1}*, and returns 
a secret key sk[id ] for the user with this identity. We use notation sk[id] <— 
IB_S.Extr(msfc, id) to refer to one execution of this protocol. The signing al- 
gorithm IB_S.Sign inputs a user secret key sk[id], the public parameters mpk, 
an identity, and a message to. The output is a signature sig = sig msk (id,m). 
We denote an execution of this protocol as sig <— IB_S.Sign (mpk,id, sk[id\,m). 
Finally, the verification algorithm IB_S.Vfy inputs mpk, a message to, an iden- 
tity id and a signature sig-, it outputs 1 if the signature is valid, and 0 oth- 
erwise. To refer to one execution of this protocol, we use notation {0,1} <— 
IB_S.Vfy(mpfc, id,m, sig). 
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The standard security notion for identity-based signature schemes is unforge- 
ability against adaptively-chosen identity and message attacks, which can be 
found in [3,17]. 

3 Generic Construction of Identity-Based Signatures 

We first outline the BNN generic transformation [3] from two standard signature 
schemes S, S' into an identity-based signature scheme. 

Let S = (S.KG, S.Sign, S.Vfy) and S' = (S'. KG, S'. Sign, S'.Vfy) be two (possibly 
equal) standard signature schemes. The generic construction of an identity-based 
signature scheme IBS = (IB.S.KG, IB.S.Extr, IB.S.Sign, IB.S.Vfy), proposed in 
[3], is defined as follows. 

Key Generation IB_S.KG(l fc ): The key generation algorithm from the stan- 
dard signature scheme S is run to obtain the master key-pair for the identity- 
based signature scheme IBS’. ( msk , mpk) <— S.KG(l fc ). 

IBS Key extraction IB_S.Extr(msfc, idi) : The secret key of a user with identity 
idi is defined as 

sk[idi\ = (sig^pki, ski), (1) 

where (pk i , ski ) is a random key-pair obtained by running S'.KG(l fe ) and sig.j <— 
S.Sign (ms/;, idi\\pki). Here the signature sig.j can be viewed as a “certificate” on 
the validity of pk t . 

Identity-Based Sign IB_S.Sign (mpk,idi,sk[idi),m): Given a user secret key 
for idi an id-based signature for identity id t and message to is defined as 

sig(idi,m) = ( sigi,pki,sig sk .(m )), (2) 

where sig sk .{m) = S'. Sign (ski,m) can be computed by the possessor of the 
user secret key sk[idi\ since ski is contained in sk[idi\. Signature sigi included 
in Eqn. (2) certifies the validity of pk 

Verification IB_S.Vfy (mpk, sig): The user checks if the first signature from 
Eqn. (2) is valid with respect to mpk and “message” id\\pki (using the verifica- 
tion protocol S.Vfy); and if the second signature is valid with respect to p&q and 
the message to (using the verification protocol S'.Vfy). 

Bellare, Namprempre, and Neven [3] prove the following result: 

Theorem 1. If S and S' are both secure standard signature schemes then KB-S 
is a secure identity-based signature scheme. 

Let 215 be a signature scheme with the property fP. We extend the above con- 
struction to an IBS with additional properties IBS'S in a straightforward way: 
as with signing/verification, all functionality provided by tPS is “lifted” to the 
identity-based case. That means that (analog to IB_S.Sign and IB_S.Vfy) any 
protocol additionally provided by tPS is executed using the corresponding se- 
cret/public key pair (sk l . pkf) from the user secret key Eqn. (1). We will refer to 
the latter construction as the “generic construction of identity-based signatures 
with additional properties” or simply “generic construction” . 
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In the rest of this section we will demonstrate that this generic construction 
and variants of it can indeed be used for many signatures schemes with additional 
properties. Due to the lack of space we only provide details for identity-based 
VES, US, AS, and BS schemes. For the details on the remaining results we 
refer to the full verion of this paper [17]. Table 1 summarizes the practical 
impact of our results, i.e. it is shown which types I'BJPS of new identity-based 
signature schemes are implied by our general constructions. The existence of the 
identity-based signature schemes can be derived by the existence of the respective 
standard signature scheme [17]. 


Table 1. A summary of the practical implications of our results. Here means that 
a scheme was known before (with a formal proof), a means that our construction 
gives the first such scheme, and a ” means that no such scheme is known. 


Signature type 

at all ? 

Existence of identity-based signature schemes 
w/o random oracles? w/o pairings? general assumptions? 

VES §3.1 

★ 

★ 

★ 

★ 

BS §4 


★ 

★ 

★ 

US §3.2 

* 

★ 

★ 

- 

FSS [17] 

★ 

★ 

★ 

★ 

SKIS [17] 

* 

★ 

★ 

★ 

PS [17] 

* 

★ 

★ 

★ 

OOS [17] 

* 

★ 

★ 

★ 

Threshold [17] 

* 

★ 

★ 

- 


3.1 Verifiably Encrypted Signatures 

Verifiably encrypted signature (VES) schemes can be seen as a special extension 
of the standard signature primitive. VES schemes enable a user Alice to create a 
signature encrypted using an adjudicator’s public key (the VES signature), and 
enable public verification if the encrypted signature is valid. The adjudicator is 
a trusted third party, who can reveal the standard signature when needed. VES 
schemes provide an efficient way to enable fairness in many practical applications 
such as contract signing. 

An efficient VES scheme in the random oracle model based on pairings was 
given in [7], one in the standard model in [25]. It was further noted in [25] 
that VES schemes can be constructed on general assumptions such as trapdoor 
one-way permutations. 

Identity-based verifiably encrypted signature (IB- VES) schemes were intro- 
duced in [20] where also a concrete security model was proposed. In contrast 
to [20], here we only consider a weaker (but still reasonable) model where the 
adjudicator has a fixed public key, i.e. it is not identity-based. 

Compared to a standard signature a VES scheme has three additional algo- 
rithms: VES signing/verification (with respect to an adjudicators public key), 
and adjudication. Here the adjudication algorithm inputs an adjudicators secret 


Against concurrent adversaries. 
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key and transforms a VES into a standard signature. For our generic construc- 
tion VES signing and verification can be lifted to the identity-based case in the 
same way as in the generic construction, i.e. in an IB- VES one replaces sig sk .(m) 
in Eqn. (2) with its VES counterpart obtained by running the VES signing al- 
gorithm on ski, to, and the adjudicator’s public key. IB- VES verification checks 
the certificate and the VES using the standard VES verification algorithm. More 
formally we can prove the following theorem: 

Theorem 2. If S is a secure standard signature scheme and ‘PS is a secure 
verifiably encrypted signature scheme then the generic construction gives a secure 
identity-based verifiably encrypted signature scheme. 

Using our generic construction we get an IB-VES scheme based on any trapdoor 
one-way function [25], and a more efficient one using [7]. 

3.2 Undeniable Signatures 

Undeniable signatures [12] (US) are signature schemes in which testing for 
(in)validity of a signature requires interaction with the signer. Undeniable sig- 
natures are used in applications where signed documents carry some private 
information about the signer and where it is considered to be an important 
privacy factor to limit the ability of verification. 

Following [14], an undeniable signature scheme US consists of four algorithms 
US = (US. KG, US. Sign, US.Conf, US.Disav), where US.Conf is a confirmation and 
US.Disav is a disavowal protocol, both being interactive algorithms run between 
a prover and a verifier. The basic security properties are (standard) unforgeabil- 
ity, non-transferability and simulatability. By non-transferability it is meant that 
no adversary should be able to convince any third party of the validity /invalidity 
of a given message/signature pair after having participated in the confirmation 
and disavowal protocols. Intuitively this is captured by requiring the confirma- 
tion and disavowal protocols to be “zero-knowledge” , such that no information 
is leaked besides (in)validity. With simulatability one wants to ensure that the 
strings representing signatures can not be recognized (i.e., distinguished from a 
random string) by an attacker. This security property is fulfilled if there exists 
a signature simulator algorithm US. Sim, that on input of a public key and a 
message, outputs a simulated signature sig(m) which looks like a “real undeni- 
able signature” to anyone who only knows public information and has access to 
confirmation/disavowal oracles. 

Extending the previous definition to the identity-based setting, an identity- 
based undeniable signature (IB-US) scheme consists of a tuple of five algorithms 
IV.US = (IB.US.KG, IB_US.Extr, IB.US.Sign, IB.US.Conf, IB.US.Disav) where 
IB_US.Conf and IB.US.Disav are interactive algorithms run between a prover 
and a verifier. The basic security properties for an IB-US (unforgeability, non- 
transferability and simulatability) , are defined by suitably adapting the standard 
US security notions to the identity-based scenario. 

In particular, the identity-based simulatability property is defined in terms 
of the existence of an additional simulation algorithm IB.US.Sim. On input of 
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the system public parameters mpk, an identity id and a message to, lELUS.Sim 
outputs a simulated signature sig (id,m), which is indistinguishable from a real 
signature for someone having access to confirmation/disavowal oracles for the 
identity id. 

We now sketch our generic construction of identity-based undeniable signa- 
tures. In contrast to the generic construction (cf. Eqn. (2)) we define the identity- 
based undeniable signature I B_US.Sign(sfc[*dj], to) as sig sk .{m) (i.e., the certificate 
S i9msk(idi\\pki) and p&q are not included in the signature). In the interactive 
identity-based confirmation and disavowal protocols, the signer sends his certifi- 
cate (sig mskiidiWpkj) , pk t ) to the verifier such that the verifier can be convinced 
about the link between the signature and idiWpk^ Then prover (using ski) and 
verifier (using pkf) engage in the standard US confirmation/disavowal protocol. 

It remains to describe the identity-based simulation algorithm IB_US.Sim in 
terms of the algorithm US. Sim. We define the output of IB_US.Sim(mpfc, id, to) 
as US.Sim(pfc', to), where (pk^sk'f) <— US.KG(l fc ) is a fresh key pair generated 
by the simulator. Note that the simulator IB_US.Sim does not input the user 
secret key sk[id] and therefore the public key pk t from the user secret key for 
idi (cf. Eqn. (1)) is information theoretically hidden from it. However, an ad- 
versary against simulatability may learn this public key pk i from an execution 
of the confirmation/disavowal protocol. It turns out that to ensure that our 
generic IB-US construction satisfies the simulatability property it is sufficient to 
require the scheme US to be anonymous in the sense of [16]. A scheme US 
is said to be anonymous if (roughly) for two randomly generated key pairs 
(pk 0 ,sko),(pk 1 ,ski) and a message to, it is infeasible to distinguish the two 
distributions US.Sign(sfco, to) and US.Sign(sfci,m). More formally, we can prove 
the following theorem: 

Theorem 3. If S is a secure standard signature scheme and US is a secure 
anonymous undeniable signature scheme then I'B-US as outlined above is a se- 
cure identity-based undeniable signature scheme. 

As far as we know, only one IB-US has been previously presented in [24]. This 
scheme uses bilinear pairings and it is proved secure in the random oracle model. 
We stress that the security model in [24] seems to be incomplete, as the authors 
do not consider simulatability. 

In [16], an anonymous PKI-based US scheme based on the RSA primitive 
was proposed (the security proof uses the random oracle model). A different 
anonymous US scheme, whose security is proved in the standard model, can be 
found in [23]; it does not employ bilinear pairings, but the disavowal protocol is 
quite inefficient. Using these anonymous US schemes [16,23], we can obtain secure 
IB-US schemes in the random oracle model and also in the standard model, based 
on different computational assumptions, which do not employ bilinear pairings. 

3.3 Aggregate Signatures 

The idea of an aggregate signature scheme [7] is to combine n signatures on n 
different messages, signed by n (possibly different) signers, in order to obtain 
a single aggregate signature AgSig which provides the same certainty than the 
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n initial signatures. The main goal in the design of such protocols is that the 
length of AgSig be constant, independent of the number of messages and signers. 
Of course, to check correctness of an aggregate signature, the verifier will also 
need the messages to* and the public keys pk t , but this is not taken into account 
when considering the length of AgSig. 

In the identity-based framework, the only proposal which achieves constant- 
length aggregation is that of [18]; however, this scheme only works in a more 
restrictive scenario where some interaction or sequentiality is needed among the 
signers of the messages which later will be aggregated (in the same direction 
as [25] for the PKI-based scenario). With respect to non-interactive aggregate 
signatures in the identity-based setting, the most efficient proposal is from [21], 
that does not achieve constant-length aggregation: the length of the aggregate 
signature does not depend on the number of signed messages, but on the num- 
ber of different signers. Using the approach of this work, we can achieve exactly 
the same level of partial aggregation for identity-based signatures. In effect, 
let us consider our generic construction, and let us assume that the employed 
PKI-based signature scheme S allows constant-length aggregation. The the input 
of the aggregation algorithm would be {(idi, sig^k (idi | |p&i) > s*<7*}|g$ffcn> 

where sig i and sig sk .(mi) are signatures resulting from scheme S, and can there- 
fore be aggregated into a PKI-based aggregate signature AgSig , of constant- 
length. Then the final identity-based aggregate signature would be IBAgSig = 
(. Ag_Sig,pk 1 , . . . ,pk n ). This aggregate signature, along with the n messages and 
the n identities, is sufficient to verify the correctness of the n signatures. There- 
fore the length of the identity-based aggregate signature IBAgSig is linear with 
respect to the number of different signers. 

3.4 Limitations and Extensions 

Our generic approach to construct identity-based signature schemes with special 
properties does not work in situations where the signing procedure (in the cor- 
responding PKI-based scheme) involves other public keys than the one from the 
signer, and interaction between the signer and the owners of these public keys 
is not mandatory. Our approach fails in this case because in the identity-based 
framework the signer only knows the identity of the other users, and needs some 
interaction with them in order to know the public key that they have received in 
the key extraction phase. Some examples of signature schemes with special prop- 
erties falling inside this group are: ring signatures; designated verifier signatures; 
confirmer signatures; chameleon signatures; and nominative signatures. 

We are aware of the fact that the list of properties where the generic approach 
can be applied is not complete and it obviously can also be applied to other 
concepts (like one-time signatures, homomorphic signatures, etc.) as well. 


4 Generic Construction of ID-Based Blind Signatures 

In this section we consider in more detail the generic construction in the case 
of blind signature schemes. In blind signature (BS) schemes [11] a user can ask 
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a signer to blindly sign a (secret) message to. At the end of the (interactive) 
signing process, the user obtains a valid signature on to, but the signer has no 
information about the message he has just signed. A formal security model of 
blind signatures was introduced in [22,27]. Partially blind signature schemes are 
a variation of this concept, where the signer can include some common informa- 
tion in the blind signature, under some agreement with the final receiver of the 
signature. This concept was introduced in [1] and the security of such schemes 
was formalized in [2]. 

The first identity-based blind signature (IB-BS) schemes were proposed in 
[31,30]. They employ bilinear pairings, but their security is not formally analyzed. 
Subsequent schemes were proposed in [13] but security is only provided in a 
weaker model (i.e. against sequential adversaries). 

The main result of this section can be stated as follows. 

Theorem 4. If S is a strongly secure standard signature scheme and (PS is a 
secure (partially) blind signature scheme then a secure identity-based (partially) 
blind signature scheme IBJPS can be constructed. 

Here the IB-BS scheme inherits the security properties of the BS scheme — if BS 
is secure against concurrent adversaries so is IB-BS. In particular, we obtain the 
first IB-BS scheme provably secure (in the standard model), against concurrent 
adversaries (by using the results from [8,26,15]), we obtain IB-BS schemes which 
do not employ bilinear pairings [4], and we obtain IB-BS schemes from any one- 
way trapdoor permutation [22,15]. 

We now formally prove Theorem 4. First we recall the basic definitions of PKI- 
based and identity-based blind signature schemes, then we explain and analyze 
our construction and prove its blindness. Due to lack of space, we included all 
details (definitions and analysis) related to the unforgeability property in the 
full version of this paper [17]. 

4.1 Blind Signature Schemes 

Blind signature schemes were introduced in [11] with electronic banking as first 
motivation. The intuitive idea is that a user asks some signer to blindly sign a 
(secret) message to. At the end of the process, the user obtains a valid signature 
on to from the signer, but the signer has no information about the message he has 
signed. More formally, a blind signature scheme ‘BS = (BS.KG, BS.Sign, BS.Vfy) 
consists of the following (partially interactive) algorithms. 

The key generation algorithm BS.KG takes as input a security parameter 
k and returns a secret key sk and a matching public key pk. We use notation 
( sk,pk ) <— BS.KG(l fc ) to refer to one execution of this protocol. The blind 
signing algorithm BS.Sign is an interactive protocol between a user U and a 
signer S with public key pk. The input for the user is Inp v = ( m,pk ) where to 
is the message he wants to be signed by the signer. The input Inp s of the signer is 
his secret key sk. In the end, the output Outs of the signer is ’completed’ or ’not 
completed’, whereas the output Outu of the user is either ’fail’ or a signature 
sig = sig sk (m). We use notation (Outu, Outs ) *— B S . S i g n ( Inp v , Inp s ) to refer 
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to one execution of this interactive protocol. Finally, the verification algorithm 
BS.Vfy is the same verification protocol as in standard signature schemes. To 
refer to one execution of this protocol, we use notation {0, 1} <— BS.Vfy(m, sig). 
Blindness. Intuitively, the blindness property captures the notion of a signer 
who tries to obtain some information about the messages he is signing for some 
user. Formally, this notion is defined by the following game that an adversary 
(signer) B plays against a challenger (who plays the role of a user) . 

First the adversary B runs the key generation protocol ( sk,pk ) <— BS.KG(l fe ). 
Then the adversary B chooses two messages too and mi and sends them to the 
challenger, along with the public key pk. The challenger chooses b £ {0, 1} at 
random and then the interactive signing protocol is executed two times (possibly 
in a concurrent way), resulting in ( Outu,b , Outs,b) BS.Sign (Inp ub , Inp S b ) and 
(Outu,i-b, Outs,i-b) BS.Sign (Inp Utl _ b ,Inp Sil _ b ), where adversary B plays 
the role of the signer S, and the challenger plays the role of the user, with 
inputs Inp ub = (pk,m b ) and Inp l • , b = ( pk,m\- b ). Finally, the adversary B 
outputs its guess b' . Note that the adversary in the above security game is in 
the possession of the secret key sk. 

We say that such an adversary B succeeds if b' = b and define its advantage 
in the above game as Adv^ n g(fc) = |Pr [b 1 = b] — 1/2|. A scheme ‘BS has the 
blindness property if, for all PPT adversaries B. Adv^"g(fc) is a negligible 
function (with respect to the security parameter k). 

4.2 Identity-Based Blind Signature Schemes 

Analogously, an identity-based blind signature scheme ItB-BS = (IB.BS.KG, 
IB_BS.Extr, IB.BS.Sign, IB.BS.Vfy) consists of the following algorithms. 

The setup algorithm IB_BS.KG takes as input a security parameter k and 
returns, on the one hand, the master public key mpk and, on the other hand, 
the value master secret key msk, which is known only to the master entity. We 
note an execution of this protocol as (msk, mpk ) <— IB_BS.KG(l fe ). The key ex- 
traction algorithm IB_BS.Extr takes as inputs mpk, the master secret key msk 
and an identity id £ {0, 1}*, and returns a secret key sk[id] for the user with this 
identity. We use notation sk[id] <— IB_BS.Extr(msfc, id) to refer to one execution 
of this protocol. The blind signing algorithm IB.BS.Sign is an interactive proto- 
col between a user U and a signer with identity id. The common input for them 
is mpk. The input for the user is Inp v = ( id,m ) where to is the message he wants 
to be signed by id. The input Inp id of the signer is his secret key sk[id]. In the 
end, the output Out id of the signer is ’completed’ or ’not completed’, whereas 
the output Outu of the user is either ’fail’ or a signature sig = sig msk (id, to). We 
use notation (Outu, Out id ) <— IB_BS.Sign (mpk, Inpu , Inp id ) to refer to one exe- 
cution of this interactive protocol. Finally, the verification algorithm IB_BS.Vfy 
takes as input mpk, a message to, an identity id and a signature sig-, it outputs 
1 if the signature is valid with respect to the public key mpk and the identity 
id, and 0 otherwise. To refer to one execution of this protocol, we use notation 
{0,1} <— IB_BS.Vfy (mpk, id, m, sig). 
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An identity-based blind signature scheme must satisfy the requirements of 
correctness, blindness and unforgeability. Due to lack of space, we focus only on 
the blindness property. 

Blindness. Blindness of an identity-based blind signature scheme is defined 
by a game played between a challenger and an adversary. This adversary Bib 
models the dishonest behavior of a signer who tries to distinguish which mes- 
sage (between two messages chosen by himself) is being signed in an interactive 
execution of the signing protocol with a user. The game is as follows. 

First the challenger runs the setup protocol ( msk,mpk ) <— IB_BS.KG(l fe ) and 
gives mpk to Bib- The master secret key msk is kept secret by the challenger. 
The adversary Bib is allowed to query for secret keys of identities idi of his 
choice. The challenger runs sk[idi] <— IB_BS.Extr(msfc, idi) and gives the re- 
sulting secret key sk[idi\ to Bib- If the same identity is asked again, the same 
value sk[idi] must be returned by the challenger. At some point, the adver- 
sary Bib chooses an identity id* and two messages mo, mi, and sends these 
values to the challenger. The challenger chooses b £ {0, 1} at random and 
then the interactive signing protocol is executed twice (possibly in a concur- 
rent way), resulting in (Outu,b, Outid* ,&) <— \B-BS.S\gr\(Inp ub ,Inp id * b ) and 
(Out Ut i- b , Out id *s-b) <— IB.BS.Sign {Inp UA _ b , Inp id , s _ b ), where adversary Bib 
plays the role of the signer id*, and the challenger plays the role of the user, with 
inputs Inp uh = (m b , id*) and Inp v l _ b = (mi- b , id*). Finally, the adversary Bib 
outputs its guess b' . 

We say that such an adversary B succeeds if b' = b and define its advantage 
in the above game as Adv I / ^' l ^“g iB (A:) = |Pr [b' = b] — 1/2|. A scheme ICBJBS 
has the blindness property if, for all PPT adversaries Bib, Ad is a 
negligible function (with respect to the security parameter k). 

4.3 Constructing Identity-Based Blind Signature Schemes 

Let S = (S.KG, S.Sign, S.Vfy) be a standard signature scheme and let CBS = 
(BS.KG, BS.Sign, BS.Vfy) be a blind signature scheme. We construct an ID-based 
blind signature scheme ICBSBS = (IB_BS.KG, IB_BS.Sign, IB_BS.Extr, IB_BS.Vfy) 
as follows. 

Setup IB_BS.KG(l fe ): On input a security parameter k, the key generation pro- 
tocol S.KG of S is executed, resulting in ( SK,PK ) <— S.KG(l fc ). The master 
public key is defined as mpk = PK, whereas the master secret key stored by the 
master entity is msk = SK. 

Key extraction IB_BS.Extr(msfc, idi): When the user secret key sk['td,} for 
some identity idi is requested, the master entity first checks if it already has es- 
tablished a user secret key for idi- If so, the old secret key is returned. Otherwise 
it generates and stores a new user secret key as follows: it runs the key generation 
protocol of the blind signature scheme CBS, resulting in ( ski,pki ) <— BS.KG(l fe ). 
Then it uses signature scheme S to sign the ’’message” idi || pkj- that is, it 
executes sig msk (idi || pk t ) <— S.Sign(msfc, idi || pki )• The resulting secret key, 
which is sent to the owner of the identity, is sk[idi] = ( ski,pki,sig msk (idi || 
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pkj)). The recipient can verify the obtained secret key by executing {0,1} <— 
S.Vfy (mpk, idi || pki, sig msk (idi\\pki))-, if the output is 1, then the secret key is 
accepted. 

Blind signature IB_BS.Sign: The interactive protocol between a user U and 
a signer with identity idi consists of the following steps (recall that mpk is a 
common input for user and signer, the input of the user is (idi,m) and the input 
of the signer is sk[idi}). 

1. User U sends the query {idi, 'blindsignature?') to the signer. 

2. If the signer does not want to sign, the protocol finishes with Outu =’fail’ and 
Out^ =’not completed’. Otherwise, the signer sends (p&q, sfy TOsfc (idj||pfcj)) 
back to the user. 

3. The user runs {0, 1} <— S.Vfy(mpfc, idi\\pki, sig msk {idi\\pki)). If the output is 
0, then the protocol finishes with Outu =’fail’ and Outid i =’not completed’. 
Otherwise, user and signer interact to run the blind signature protocol of BS, 
resulting in (Outu, Out' id .) <— BS.Sign(/np [/ , Inp id .), where Inp v = ( pk t , m) 
and Inp id . = ski. If Out'u 7^ ’fail’, then it consists of a standard signature 
sig sk .(m) on m under secret key sk t . The final output for the user is in 
this case Outu = sig(idi,rrii) = (sig msk (idi\\pki),pki, sig sk . (m)), which is 
defined to be the identity-based signature on message m from identity idi. 

Verification IB_BS.Vfy (mpk,idi,m,sig(idi,mi)): Given as input a message 
m, an identity idi and an identity-based signature sig(idi,rrii) that is parsed as 
(sigmak(idi\\pki)iPki, sig sk .(m)), the verification protocol works as follows. The 
two verification protocols, of schemes S and ‘BS, are executed in parallel: {0, 1} <— 
S.\/fy(mpk,idi\\pki,sig msk (idi\\pki)) and {0,1} <— BS.Vfy(pfc i; m, sig sk .(m)). If 
both outputs are 1, then the final output of this protocol is also 1. Otherwise, 
the output is 0. 

4.4 Security Analysis 

In this section we prove that the identity-based blind signature scheme IBJBS 
constructed in the previous section satisfies the blindness property, assuming 
that the schemes S and BS employed as primitives are secure. The detailed 
analysis of the unforgeability property can be found in [17]. 

Theorem 5. Assume the signature schemeS is strongly unforgeable and the blind 
signature scheme “BS is blind. Then the identity-based blind signature scheme 
ItBJBS constructed in Section 4-3 is blind. 

Proof. Assume there exists a successful adversary Bm against the blindness of 
the scheme PB-tBS- We show that then there exists either a successful forger T 
against the signature scheme S or a successful adversary B against the blindness 
of the blind signature scheme “BS- We now construct T and B. 

Setup. Forger T receives as initial input some public key PK for the standard 
signature scheme S. Then we initialize the adversary Bm by providing it 
with mpk = PK. 
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Secret key queries. Adversary Bm is allowed to make secret key queries for 
identities idi of its choice. To answer a query, we run the key generation 
protocol of the blind signature scheme BS to obtain (sk,, pk^j <— BS.KG(l fe ). 
Then we send the query m, = idi || pk t to the signing oracle of the forger 
T , and obtain as answer a valid signature sig, with respect to scheme S 
and public key PK = mpk. Then we send to Bm the consistent answer 
sk[idi] = (ski, pkj, sigj). We store all this information in a table. If the 
same identity is asked twice by Bm, then the same secret key is given as 
answer. 

Challenge. At some point, Sib will output some challenge identity id* and 
two messages mo, mi. Without loss of generality we can assume that Sib 
had already asked for the secret key of this identity (otherwise, we generate 
it now and send it to Sib), obtaining sfc[id*] = (sfc*,pfc*, sig*). Then we 
start constructing an adversary S against the blindness of the scheme ( BS, by 
sending public key pk* and messages mo, toi to the corresponding challenger. 
Now we must execute twice the interactive blind signature protocol with Sib, 
where Sib acts as a signer and we act as the user. For both executions, we first 
send (id*, 'blindsignature?') to Sib- As answers, we will obtain (pk^\ sig^) 
and (pfc* 1 ), sig^) from Sib, where sig*^ is a valid signature on id* || pk^\ 
for both j = 0, 1. 

If (pk^J\ sigi^) ^ (pk*,sig*) for either j = 0 of j = 1, then T outputs 
si<?Jr as a valid forgery on the message id*\\pk^ for the signature scheme S. 
This is a valid forgery against signature scheme S, because these signatures 
were not obtained during the attack. Therefore, in this case we would have a 
successful forger T against S, contradicting the hypothesis in the statement 
of the theorem which claims that S is strongly unforgeable. 

From now on we assume (pk^\ sig 1"^) = (pk*, sig *) for both j = 0,1 and 
the two first steps in the two executions of the interactive signing protocol 
are identical. Then we run the two execution of the blind signing protocol of 
scheme BS, playing the role of the signer: we obtain from Bm the information 
that we must send to the challenger (user) of BS, and this challenger sends 
back to us the information that we must provide to Bm- This challenger of 
BS is the one who chooses the bit b £ {0, 1}. 

Eventually, adversary Bm outputs its guess b' . B outputs the same bit b' 
as its guess in the blindness game against the blind signature scheme BS- 

The first two steps in the two executions of the interactive signing protocol of 
IBJBS run between Bib and us are identical. Hence distinguishing between the 
two executions of IB.BS.Sign is equivalent to distinguishing between the two 
executions of BS.Sign. This completes the proof. □ 

We stress that the signature scheme S really has to be strongly unforgeable; 
otherwise a signer can break blindness by using different versions of sk[idi] in 
different signing sessions and later use this information to trace the user. 
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Theorem 6. Assume the standard signature scheme S is unforgeable and the 
blind signature scheme ‘BS is unforgeable. Then the identity-based blind signature 
scheme I'B-'BS from Section Jy.3 is unforgeable. 

The proof of Theorem 6 can be found in [17] . Theorems 5 and 6 imply Theorem 4. 
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Abstract. Pseudorandom Generators (PRGs) based on the RSA inver- 
sion (one-wayness) problem have been extensively studied in the litera- 
ture over the last 25 years. These generators have the attractive feature 
of provable pseudorandomness security assuming the hardness of the 
RSA inversion problem. However, despite extensive study, the most effi- 
cient provably secure RSA-based generators output asymptotically only 
at most 0(log n) bits per multiply modulo an RSA modulus of bitlength 
n, and hence are too slow to be used in many practical applications. 

To bring theory closer to practice, we present a simple modification 
to the proof of security by Fischlin and Schnorr of an RSA-based PRG, 
which shows that one can obtain an RSA-based PRG which outputs i?(n) 
bits per multiply and has provable pseudorandomness security assuming 
the hardness of a well-studied variant of the RSA inversion problem, 
where a constant fraction of the plaintext bits are given. Our result 
gives a positive answer to an open question posed by Gennaro (J. of 
Cryptology, 2005) regarding finding a PRG beating the rate O(logn) bits 
per multiply at the cost of a reasonable assumption on RSA inversion. 

Keywords: Pseudorandom generator, RSA, provable security, lattice 
attack. 


1 Introduction 

Background. The RSA Pseudorandom bit generator (RSA PRG) works by iterat- 
ing the RSA encryption mapping x — » x e mod N (with public RSA modulus N of 
length n bits and public exponent e coprime to <j)(N)) on a secret random initial 
seed value xo € Zjy to compute the intermediate state values x l+ i = xf mod N 
(for * = 0,1,2,...) and outputting r least-significant bits of the state value x, per 
iteration. The pseudorandomness of the RSA PRG (especially the case r = 1) 
was studied extensively by several researchers [19,2,30,1,14]. However, even the 
best security proof so far [14,28] only applies to the case when only a very small 
number of bits r = 0(log n) is output per iteration. Consequently, even with 
small public exponent e, these proven RSA PRG variants only output 0(log n) 
bits per multiply modulo N and hence are too slow for most practical applica- 
tions. As far as we are aware, these are currently the most efficient RSA-based 
PRGs with proven pseudorandomness security. 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 194-209, 2006. 

© International Association for Cryptologic Research 2006 
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Our Approach. Our approach to studying the provable security of efficient vari- 
ants of the RSA PRG is based on two observations. 

First, we observe that existing security proofs of the RSA PRG have always 
attempted to prove the security assuming the hardness of the classical RSA 
one-wayness problem (given RSA modulus N and y = x e mod N for random 
x e Z n, find x). If we instead make a stronger hardness assumption, we can 
hope to prove the security of much more efficient and practical variants of the 
RSA PRG, with r = f2(n). But we must be careful in choosing this stronger 
hardness assumption to ensure that it is based on substantial evidence - it must 
be a hard problem which has been undoubtedly studied extensively by experts. 
This leads to our second observation. 

Our second observation is that over the last decade, beginning with the work 
of Coppersmith [11], the following variant of the RSA one-wayness problem has 
been studied explicitly: 

(5, e)-Small Solution RSA ((S, e)-SSRSA) Problem. Given a random li- 
bit RSA modulus N, the coefficients of a univariate polynomial f(z) = a e z e + 
a e --iz e ~ l + • • • + ao € Zj v[z] of degree e (with a e e Z](r) and y = f(z) mod N 
for a random integer Z < N s (with 0 < 5 < 1), find 5 (note that we will only 
be interested in instances where / is such that 5 is uniquely determined by 

(N,f,y)). 

The celebrated lattice-based attack of Coppersmith [11] shows that for small 
e, the ((5, e)-SSRSA problem can be solved in polynomial time (in n) whenever 
8 < 1/e. But when 8 > 1/c-Ae for some constant e > 0, the lattice attack 
fails, and the only known attack (beyond factoring N ) is to run the lattice 
attack 0(N e ) times for each guess of the e • n most-significant bits of 5. Hence, 
when e is made sufficiently large to make the above lattice attack slower than 
factoring N (namely even e = 0((log n/n) 2 / 3 ) suffices), the best known attack 
against (l/e + e, e)-SSRSA problem is to factor N. Importantly, this hardness 
assumption is supported by explicit evidence in the literature that the (1/e+e, e)- 
SSRSA problem has been studied by experts [12,26,10], yet these studies have 
not yielded an efficient algorithm for the (1/e + e, e)-SSRSA problem. 

Our Result. We present a simple modification to the proof of security of the RSA 
PRG by Fischlin and Schnorr [14] which shows that assuming the hardness of 
a certain specific (1/e+e, e)-SSRSA one-wayness problem suffices to prove the 
pseudorandomness of the RSA PRG outputting r = (1/2 — 1/e — e — o(l)) • n 
LS bits per iteration. Our specific (1/e + e, e)-SSRSA one-wayness problem can 
be posed as RSA inversion with some known plaintext bits, namely: Given N, 
y = [x s ]n, r LS bits of x and w sa n/2 MS bits of x, for x £r Zjv, find x. For 
small (constant) e > 3 we therefore obtain a throughput of fi{n) output pseu- 
dorandom bits per multiply modulo the RSA modulus N, which is a significant 
improvement over the 0(log n) bits per multiply throughput obtained using pre- 
vious proof of security relative to the RSA assumption. We believe this answers 
in the positive an open question raised by Gennaro [15], who asked whether one 
can obtain a PRG which beats the rate 0(log n) bits per multiply at the cost of 
a stronger but reasonable assumption on RSA inversion. 
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Organization. In Section 1. 1 we discuss additional related work. Section 2 contains 
definitions and notations. In Section 3, we review the RSA PRG construction and 
its proof of security by Fischlin and Schnorr [14]. Section 4 presents our modified 
security proof for the RSA PRG assuming the hardness of a (1/e + e, e)-SSRSA 
problem. In Section 5, we estimate concrete parameters and associated PRG per- 
formance for given proven security level and security assumptions. In Section 6 we 
investigate the potential for performance improvements using a stronger hardness 
assumption. Section 7 concludes the paper with some open problems. 

1.1 Additional Related Work 

Related PRG constructions can be divided in two classes. 

The first class contains PRGs based on related hardness assumptions. The 
well known Blum-Blum-Shub (BBS) generator [6] has the same structure as 
the RSA PRG, but uses the Rabin squaring iteration function instead. Similar 
security results as for the RSA PRG are known for this generator [14], but we 
need a less known assumption to prove the security of efficient variants of this 
generator (see Section 6). The factoring-based construction by Goldreich and 
Rosen [17] has a throughput of 0(1) bits per multiply modulo an n bit modulus. 
The Micali-Schnorr RSA-based constructions [24] have a throughput of f2(n) 
bits per multiply, but their pseudorandomness security is only proven assuming 
the pseudorandomness of the RSA function with small inputs whereas for our 
construction we can prove pseudorandomness assuming only a much weaker 
assumption of one-wayness of RSA with small inputs. The PRG of Boneh et 
al [9] also achieves a throughput of f2(ri) bits per multiply (and in fact may use 
a smaller prime modulus), but its provable pseudorandomness security also relies 
on a pseudorandomness assumption rather than a one-wayness assumption. 

The second class of PRGs achieve provable pseudorandomness based on dif- 
ferent one-wayness assumptions. The construction by Impagliazzo and Naor [21] 
is based on the hardness of the Subset Sum problem. Although this construc- 
tion is potentially very efficient, its concrete security against lattice-based subset 
sum attacks is difficult to estimate and requires carefully chosen large parameters 
with a small number of bits output per function evaluation. Very recently, a more 
practical ‘QUAD’ construction by Berbain et al [3] was proposed, using similar 
ideas to [21] in its security proof, but based on the hardness of solving a random 
system of multivariate quadratic equations over a finite field (‘MQ’ problem). 
We compare the practical performance of our construction with QUAD in Sec- 
tion 5. The fastest PRG based on the hardness of a variant of the Discrete-Log 
one-wayness problem is due to Gennaro [15] (improving on earlier work by Patel 
and Sundaram [27]), but its throughput is at most 0((p^) 2 ^ 3 ) = °( n ) bits per 
multiply, compared to Q(n) bits per multiply for our construction with same 
modulus length n and conjectured security level. 

Finally, we also wish to mention the lattice-based attacks of Blackburn et 
al [5,4] on a class of PRGs having the same iterative structure as our RSA 
PRG. These attacks show that the RSA PRG is insecure when the number of 
bits output per iteration r is larger than about | n [5] for e = 2, and about 
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(1 — e ( e+ l 1 - ) / 2 +2 ) n [4] in the general case (these results are obtained for r MS bits 
output per iteration and prime moduli, but we believe that with appropriate 
modifications they hold also for r LS bits and RSA moduli). We remark that 
the general case attacks in [4] use low-dimension lattices and are rigorously 
proven. A heuristic extension of these attacks to high dimension lattices using the 
Coppersmith method [11] suggests that the RSA PRG is insecure asymptotically 
with r > (1 — ^-j-)n (we omit details of these calculations here). These lower 
bounds for insecure values of r are greater by a factor of about 2 than the upper 
bounds on r for which our security proof applies. Closing this remaining gap 
between best attack and best proof is an interesting open problem. 

2 Preliminaries 

Notation. For integers x and N, we use [x]n to denote the remainder x mod N. 
We use L r (x) = [x]^ to denote the r least significant bits of the binary repre- 
sentation of x. Similarly, we use M r ( x) = (x — L n _ r (x))/2 n ~ r (where n is the bit 
length of x) to denote the r most significant bits of the binary representation of 
x. For i g 2 jv, we use Mm, t (x) to denote any approximation of x with additive 
error |a: — M N ^ r (x)\ < N/2 r . 

Probability Distributions and Distinguishers. Let V denote a probability 
distribution over (0, 1 } e . We denote by s <—D the assignment to s of a random 
element sampled from the distribution V. If S denotes a set then we let s £r S 
denote the assignment to s of a uniformly random element sampled from S. Let 
V\ and T >2 denote two probability distributions on some finite set. We say that 
an algorithm D is a (T, S) distinguisher between V i and V 2 if D runs in time 
at most T and has distinguishing advantage at least 8 between V 1 and V 2 , i.e. 
|Pr s ^Di[D(s) = 1] — Pr s ^x> 2 [D(s) = 1] | > 8. The statistical distance between 
two distributions V 1 and V 2 is \ T>i(,s) —V 2 {s)\. It gives an upper bound on 

the distinguishing advantage of any distinguisher between X>i and "D 2 , regardless 
of run-time. 

Pseudorandom Bit Generators (PRGs). We use the following definition of 
pseudorandom generators and their concrete pseudorandomness. 

Definition 1 {(T,8) PRG). A ( T,8 ) Pseudorandom Generator (family) PRG 
is a collection of functions Gn ■ Sn —> (0, 1}^ indexed by N £ X n . Here T n 
(PRG function index space) and Sn (PRG seed domain) are both efficiently 
samplable subsets of { 0,1}”, where n is the security parameter. We require that 
any (probabilistic) distinguisher algorithm D running in time T has distinguish- 
ing advantage at most 8 between the pseudorandom distribution Ppj and the 
random distribution on (.-bit strings, which are defined as follows: 

TAp,i = {s : N e R l n ; x 0 Gr S n ; s = G N (x 0 )} 


while 


V Rit = {s : s £r (0, 1 Y). 
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If algorithm D runs in time T and has distinguishing advantage at least 6 between 
T>p t ( and T>R,e, we say that D is a ( T,6 ) distinguisher for PRG. 

The RSA Inversion Problem. The classical RSA inversion problem is defined 
as follows. 

Definition 2 ((n,e)-RSA problem). Let e be a fixed integer. Let T n denote 
the set of all n-bit RSA moduli N = pq (for p,q primes of n/2 bits each) such 
that gcd(e, (p— l)(g — 1)) = 1. The ( n,e)-RSA inversion problem is the following: 
given N Gr T n and y = [x e ]i v for x Gr ~%-n, find x. We say that algorithm A is 
a (T, e) inversion algorithm for ( n , e)-RSA if A. runs in time T and succeeds with 
probability e over the choice of N Gr T n , x Gr Z n and the random coins of A. 

Lattices. Let {bi, . . . ,b n } be a set of n linearly independent vectors in IR n . 
The set 

C = {z: z = cibi + . . . + c„b„; ci, . . . , c n G Z} 

is called an n-dimensional (full-rank) lattice with basis {bi,...,b n }. Given a 
basis B = {bi, . . . , b n } for a lattice £, we define the associated basis matrix 
Me, b to be the (full-rank) nxn matrix whose itli row is the ith basis vector b, 
for i = 1, . . . , n. The quantity | det(Mc.B) | is independent of B. It is called the 
determinant of the lattice £ and denoted by det(£). Given any basis of a lattice 
£, the well-known LLL algorithm [22] outputs in polynomial time a reduced basis 
for £ consisting of short vectors. We use the following result [8] bounding the 
length of those vectors. 

Lemma 1. Let £ be a lattice of dimension d with basis matrix B c in lower 
diagonal form whose diagonal elements are greater or equal to 1. Then the Eu- 
clidean norm of the first two vectors in the LLL reduced basis for £ is at most 
2 d / 2 (det(£)) 3 = T . 

3 Overview of the Fischlin-Schnorr Security Proof 

The RSA PRG. We begin by recalling the RSA PRG construction. 

Definition 3 ((n, e, r, -f)-RSAPRG Pseudorandom Generator). The psue- 
dorandom generator family (n, e,r, f)-RSAPRG is defined as follows. The PRG 
function index space T n is the set of all n-bit RSA moduli N = pq (forp,q primes 
of n/2 bits each) such that gcd(e, (p— l)(g— 1)) = 1. Given index N G T n the PRG 
seed domain is Z». Assume that l is a multiple of r. Given a seed xo €r Z n, 
the PRG function Gn : Z jv — > {0, 1 Y defined by 

G n (xo) = («o, • • ••sy/r i) : s* = L r (xi),x i+ i = [x\] N for i = 0, . . . ,I/r - 1. 

As will become clear below, our result builds on the Fischlin-Schnorr result in 
essentially a ‘black box’ way, so our result can be understood without knowing 
most of the internal details of the reduction in [14]. Hence, in this section we 
provide only a very high-level overview of the basic security reduction [14] for 
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the RSA PRG from the RSA assumption, in the case of r LS bits output per 
iteration (refer to the full version of the paper [29] for more details). 

Using our notation, the Fischlin-Schnorr security result can be stated con- 
cretely as follows. 

Theorem 1 (Fischlin-Schnorr [14]). For all n > 2 9 , any ( T,5 ) distinguisher 
D for ( n , ejrj^-RSAPRG can be converted into a (T/jvu, <^/9) inversion algorithm 
A for the (n, e)-RSA problem with run-time at most 

T inv = 2 2r+14 (^/(5) 6 nlog(n) • (T + 0(£/r log(e)n 2 )). (1) 

Proof. We are given a distinguisher D with run-time T and distinguishing ad- 
vantage Adv(D) > S between the pseudorandom distribution Dp ^ (obtained by 
iterating to = l/r times and outputting r LS bits per iteration) and the random 
distribution V R ^ on l bit strings, namely: 

Dp,e = {Gn(x q) : N Gr I n ; xq Gr 2jv} 


D R , i = {s:sG R {0,1} £ }. 

We use D to construct the (n, e)-RSA inversion algorithm A as follows. 

As a first step, we note that the pseudorandom distribution Dp t e is taken 
over the random choice of modulus N Gr T n as well as random seed xq Gr 
Zy. For the remainder of the proof, we wish to fix N and find a lower bound 
on the distinguishing advantage Advjy(D) between Dp t and the pseudorandom 
distribution Dpj^ taken over just the random choice of xq Gr~2-n for this fixed 
N, that is: 

Dp t e,N = {Gn(x o) : X 0 Gr Zjv}. 

To do so, we use an averaging argument over N. 

Lemma 2. There exists a subset Q n C T n of size at least \Q n \ > S/2\l n \ such 
that D has distinguishing advantage at least S/2 between the distributions Dpj t ff 
and Dr£ for all N G Q n - 

From now on we assume that N G Q n (which happens with probability at least 
S/2 over N Gr I n ) so that D has distinguishing advantage at least S/2 between 
Dp t ( t N and Drj (We remark that this first step is actually omitted in [14] 
which always assumes a fixed N\ however we add this step since we believe it is 
essential for a meaningful security proof: to demonstrate an efficient algorithm 
for RSA inversion contradicting the RSA assumption, one must evaluate its 
success probability over the random choice of modulus N, since for any fixed N 
an efficient algorithm always exists; it has built into it the prime factors of N). 

We now convert t/r- iteration distinguisher D into a 1-iteration distinguisher 
D'. This is a ‘hybrid’ argument using the fact that the mapping x — > [a; e ]jv is a 
permutation on Note that the ‘hybrid’ argument underlying this reduction 
has been known since the work of [18,7] and it is not explicitly included in [14]. 
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Lemma 3 (to = Ijr iterations to 1 iteration.). Any ( T,5 ) distinguisher 
D between the m-iteration pseudorandom distribution 'Dp#^ and the random 
distribution Dr^ can be converted into a (T + 0(mlog(e)n 2 ),S/m) 1-iteration 
distinguisher D' between the distributions 

v 'p,r,N = {(?/ = [z 6 ]jv, s = L r (x)) : x Gr Zjy} 

^S.r.JV = {( y = [x b ]n, s):xGr Zjv; S Gr { 0 , l} r }. 

The main part of the Fischlin-Schnorr reduction [14] is the conversion of the 
distinguisher D' into an inversion algorithm that recovers the RSA preimage x 
from y = [ x b ]n with the help of some additional information on x, namely r least- 
significant bits of [ax] at and [6 x]jv for some randomly chosen known a,b G TL N , 
as well as rough approximations to [ax] m and [6 x]jv- This is stated more precisely 
as follows. 

Lemma 4 (Distinguisher to Inverter). For all n > 2 9 . any ( T,S ) distin- 
guisher D' between the distributions V PrN and F>' RrN (see Lemma 3) can be 
converted into an inversion algorithm A' that, given N and (y = [x e ]jv,a Gr 
Z/v,si = L r ([ax\ N ),ui = M N!k ([ax] N ),b Gr ~ZL n ,si = L r ([bx] N ), u 2 = 
MN,i([bx]N)), for any x G Z n with k = 31og(r/<5) +4 and l = log (r/S) +4, out- 
puts x with probability e' INV > 2/9 (over the choice of a Gr Z jv, b Gr Zjv and 
the random coins of A') and runs in time T' INV = 4nlog(n)(r/<5) 2 • (T + 0(n 2 )). 
Here Mjv fc(x) denotes any approximation of x with additive error |Mjv k{x) ~ 
x\ < 2 n ~ k . 

Putting it Together. On input (N,y = [x e ]jv), the RSA inversion algorithm A 
runs as follows. It applies Lemmas 2 and 3 to convert the (T, (5) distinguisher D 
into a (T +0(m\og(e)n 2 ), 6 /(2m)) distinguisher D' between distributions V PrN 
and V RrN which works for at least a fraction S/2 of N G T n . Then A applies 
Lemma 4 to convert D' into the inversion algorithm A'. A now chooses random 
a and b in Zy . Since A does not know the ‘extra information’ si = L r ([ax\ n) , 
ui = Mjv,fc([ax];v), «2 = L r ([bx]N) and = Mjv,i([6x]iv)) required by A', 
A just exhaustively searches through all Nq possible values of (si,tti,S 2 ,a 2 ) 
and runs A' on input (N,y = [x®],^, Wi, S 2 ;%) for every guessed possibility 
(si,«i,a2,«2) until A' succeeds to recover x. Note that to find an approximation 
M N ^([ax\i v) correct within additive error N/2 k it is enough to search through 
2 fe_1 uniformly spaced possibilities (N/2 k ~ 1 )i for i = 0,...,2 fe_1 — 1. Since 
k = 31og(2 mr/S) + 4 = 31og(2£/^) + 4 and l = log(2 i/F) + 4, there are at most 

N g = 64(2e/6) 4 2 2r (2) 

guessing possibilities for L r ([ax]jv), Mjv,fc([ax]jv), L r ([6x]jv), Mpiyifbx]^) to 
search through. So the run-time bound of A is 

T inv = N g ■ (4nlog(n)(2£/S) 2 ) ■ (T + 0(mlog(e)n 2 )) 

_ 2 2r+14 (2£/5) 6 n\og(ri) ■ (T + 0(m\og(e)n 2 )). 


(3) 
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For at least a fraction <5/2 of N £ l n , with the correct guessed value of the 
‘extra information’, A' succeeds with probability at least 2/9 over the choice of 
a, b. Hence we conclude that the success probability of A is at least cinv > <5/9, 
as claimed. □ 

We can interpret Theorem 1 as follows. Suppose we assume that the expected 
run-time Tinv/cinv of any (Tjnv,^inv) USA inversion algorithm is at least 
Tl- Then Theorem 1 can be used to convert a (T, S) distinguisher for (n, e, r. £)- 
RSAPRG to an RSA inverter contradicting our hardness assumption only if we 
output at most r bits per iteration, where 

r< 2 l0g ( 9 • 2 14 • n log n£ 6 5~ 7 ' "t") ’ ^ 

Hence asymptotically, if we take Tl = poly(n ) (i.e. assume no poly-time RSA 
algorithm) then we get r = 0(log(n)) bits per iteration. If we assume that T L = 
O(2 c " 1/3 ( log ") 2/3 ) for constant c (run-time of the Number Field Sieve factoring 
algorithm [23]) then we can have r = Ofn 1 / 3 log 2 / 3 n). But in any case, r = o(n). 

4 Our Modified Security Proof from an SSRSA Problem 

We now explain how we modify the above reduction to solve a well-studied 
SSRSA problem and the resulting improved PRG efficiency /security tradeoff. 

Our goal is to remove the search factor Nq = 64 • 2 2r (i/8) A from the run- 
time bound (3) of the reduction in the proof of Theorem 1. The simplest way 
to do so is to provide the inversion algorithm A with the correct values for the 
‘extra information’ required by the inversion algorithm A' of Lemma 4. This 
leads us to consider the following (not well-known) inversion problem that we 
call (n, e, r, As, Z)-FSRSA : 

Definition 4 ((n, e, r, k, Z)-FSRSA Problem.). Given RSA modulus N, and 
( U = [x e ]N,a Zjv,si = L r ([ax]N), u\ = MfcQazjjv), b £r TL. n,S 2 = 
L r ([bx]N),U 2 = M;([6x]at)), for x £r Zjv, find x (here Mn^(x) denotes any 
approximation to x with additive error \ Mn^(x) — x\ < N/2 k ). We say that 
algorithm A is a ( T,r ) ) inversion algorithm for (n, e,r, k, l)-FSRSA if A runs in 
time at most T and has success probability at least rj ( over the random choice of 
N £r T n , x,a,b £r Zjv and the random coins of A, where T n is the same as in 
Definition 2). 

With the search factor Nq removed from the Fischlin-Schnorr reduction we 
therefore have that the hardness of the inversion problem (n, e, r, k, /)-FSR,SA 
(with k = 31og(2^/^) + 4 and l = log(2 1/5) + 4) suffices for the ‘simultaneous 
security’ of the r least-significant RSA message bits (i.e. indistinguishability of 
distributions V p r N and V R r N in Lemma 3) and hence the pseudorandomness 
of (n, e, r, ^-RSAPRG, with a much tighter reduction than the one of Theorem 1 
relative to the RSA problem. 
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Theorem 2. For all n > 2 9 . any ( T,5 ) distinguisher D for (n. e, r, £)-RSAPRG 
can be converted into a (Tjnv,S/ 9) inversion algorithm, A for the ( n,e,r,k,l )- 
FSRSA problem (with k = 31og(2^/<5) + 4 and l = log(2 1/8) + 4) with run-time 
at most 

T inv = 16 • (e/6) 2 nlog(n) ■ ( T + 0{l/r\og{e)n 2 )). (5) 

Proof. We use the same inversion algorithm A as in the proof of Theorem 1, ex- 
cept that when applying Lemma 4, A runs inversion algorithm A' just once 
using the correct values of (a,b,si = L r ([ax]N),ui = M N ^{[ax]N),S 2 = 
L r ([bx]N), u -2 = M N j{[})x]n)) given as input to A, eliminating the search through 
Nq = 64(2^/<5) 4 2 2r possible values for (si, u\, s 2 , u 2 ). □ 

We defer to Section 6.1 our cryptanalysis of the (n,e,r,k,l )- FSRSA problem 
using the lattice-based method introduced by Coppersmith [11], which leads us 
to conjecture that the problem is hard whenever r/n < 1/2 — l/(2e) — (k + 
l)/2n — e for constant e > 0. This assumption together with the above reduction 
already implies the security of the efficient variants of (n, e,r,^)-RSAPRG with 
r = fi{n). Unfortunately, (n, e, r, k, Z)-FSRSA is a new problem and consequently 
our conjecture on its hardness is not currently supported by extensive research. 
However, we will now show that in fact for r/n = 1/2— max(fc, l) /n—1/ e — e (note 
that this is smaller by (max(fc, l) — (k + l)/2)/n+ l/(2e) than the largest secure 
value of r/n conjectured above), the problem (n, e, r, k, Z)-FSRSA is at least 
as hard as a specific (1/e -f* e, e)-SSRSA problem (i.e. with a specific univariate 
polynomial / of degree e) which we call (n, e, r, wjj-CopR.SA and define as follows: 

Definition 5 ((n, e, r, rc)-CopRSA Problem.). Given RSA modulus N, and 
{ y = [ x e ] N ,s L = L r (x),s H = M n/ 2+w (x)), for x e R Z«, find x (here M k (x) 
denotes the k most-significant bits of the binary representation ofx). We say that 
algorithm A is a ( T,r / ) inversion algorithm for ( n,e,r,w)-CopRSA if A runs in 
time at most T and has success probability at least r] (over the random choice 
of N x G r Zjv and the random coins of A, where X n is the same as in 

Definition 2). 

To see that (n, e, r, w;)-CopR,SA problem is a specific type of SSRSA problem, 
note that it is equivalent to finding a small solution z < 2"/ 2- (consisting 
of bits r + 1, . . . , (n/2 — w) of the randomly chosen integer x) to the equation 
f(z) = y mod N, where the degree e polynomial f(z) = (2 r z + s) e , where s = 
sh ■ 2 n ! 2 ~ w + sl is known. Hence (n, e, r, w)-CopRSA is a (1/e + e, e)-SSRSA 
problem when 1/2 — (r + w)/n = 1/e + e, i.e. r/n = 1/2 — 1/e — e — w/n. 

Theorem 3. Let A' be a ( T r/) attacker against (n, e, r, w — 1, w — 1)- FSRSA. 
Then we construct a ( T,r ] ) attacker A against ( n,e,r,w)-CopRSA with 

T=4T' + 0(n 2 ) and p = rf - 4/2"/ 2 . 

Proof. On input ( N , y = [x e ]i v, sl = L r (x),SH = M n / 2+w (x)), for N Gr T n and 
x Gr Z v ■ the attacker A runs as follows: 
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— Choose a uniformly random 6 Gr Zy. 

— Compute an integer c coprime to N with |c| < N 1 / 2 such that |[6-c] jv| < N 1 / 2 
(here [z] jv € (-N/2, N/2) denotes the ‘symmetrical’ residue of z modulo N, 
i.e. [z]n = f [z]n if [z]n e [0, N/2) and [z]jv = f [z] jv -N if [^]jv e {N/2, N)). 
It is well known that such a c exists and can be computed efficiently (in time 
0(n 2 )) using continued fractions (see, e.g. Lemma 16 in [25]). 

— Observe that [cx]n = cx — u c N, where u> c = Lt^J- Let x = sr • 2 n ^ 2 ~ w . 
Notice that x approximates x within additive error A x < 2 n / 2 ~ w and con- 
sequently the rational number ^ approximates ^ within additive error 

< A x /N x ! 2 < 2 n / 2 ~ w /2^ n ~ r >/ 2 < 1, where we have used the fact that 
|c| < N 1 / 2 and w > 1. It follows that u c G { [ff J , [j / J ±1} (where the + sign 
applies if c > 0 and the — sign applies otherwise). So A obtains 2 candidates 
for u c . 

— Using L r ([cx]iv) = L r {cx — u> c N) = L r {L r {c)-L r {x) — L r {u> c N)), A computes 
(with the known sl = L r { x), c and N) 2 candidates for L r ([ca;]jv) from the 
2 candidates for u> c . 

— Similarly, writing \/>cx\n = [6c] jv • x — WbcN, with ujbc = [ ^ bc ^- x j , using 

| [6c ] jv | < N 1 / 2 we obtain u) bc 6 ± 1} (with + sign if 

[6c ] jv > 0 and — sign otherwise), so A also computes 2 candidates for u>b c 
and two corresponding candidates for L r ([6cx]jv) = L r ([6c]jva; — u>b c N) = 
L r (L r ([bc]N)L r (x)-u> bc N). 

— Using x and the 2 candidates for oj c computed above, A computes two can- 
didate approximations cx — oj c N for [cx] m ■ Since x approximates x within 
additive error A x < 2 n / 2 ~ w we have that cx—ui c N approximates [cx] ,y within 
additive error |c|zl x < N 1 ^ 2 2^ n ~ 1 ^ 2 /2 W ~ 1 ^ 2 < N/2 W ~ 1 using N > 2 n ~ 1 . 

— Similarly, using x and the 2 candidates for u>b c computed above, A computes 
two candidate approximations [6 c]jv^ — uJb c N for [6 cx]jv, one of which has 
additive error |[6c]jv|2l x < N/2 W ~ 1 . 

— Choose a uniformly random a G 7L * N and compute y' = [(a _1 c) e y]jv = 
[(a _1 cx) e ]jv. 

— Collecting all of the above information, A obtains 4 candidates for {N, y' = 
[(a _1 cx) e ]jv,a, si = L r ([cx]jv),ui = Mjv )U i-i([cx]jv), 6' = [a6]jv,S2 = 
L r ([6ca:]jv),U2 = Mjv iW -i([ 6 cx]jv)). Note that this is a valid instance of 
{n,e,r,w — 1 ,w — 1)-FSRSA. Furthermore, it has almost exactly the cor- 
rect distribution, since the triple {x' = [a _1 cx]jv, a, b' = [a6]jv) is uni- 
formly random in Zjv x 2) v x 2 y thanks to the uniformly random choice 
of (x,a,b) G Zjv x Z* Y x Z,y. The FSRSA instance distribution is not ex- 
actly correct because here a is uniform on 7t N while it should be uniform 
on Zjv- However, simple calculation shows that the statistical distance be- 
tween the uniform distribution on W.* N and the uniform distribution on Zjv 
is negligible, namely 1 — (j>{N)/N = (p + q— 1 )/N < 4/2"/ 2 . 

— A runs A' on the above 4 candidate (n,e,r,w — 1 . vj — 1)-FSRSA instances. 
On one of those runs, A' outputs x' = [a _1 ca;]jv with probability at least 
T] — 4/2”/ 2 , from which x is easily recovered as x = [ ac~ 1 x , ]N ■ 
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Note that the run-time of A is bounded as T < 4 T' + 0(n 2 ) and A succeeds with 
probability at least 77 — 4/2"/ 2 , as required. This completes the proof. □ 

So, combining Theorems 2 and 3, we conclude: 

Corollary 1. For all n > 2 9 , any ( T,S ) distinguisher D for (n, e,r, Q-RSAPRG 
can be converted into a (Tznv^inv) inversion algorithm A for the ( n,e,r,w )- 
CopRSA problem (with w = 31og(2 1/8) + 5) with 

Tim = 64-(^) 2 nlog(n)-(T + 0(^/rlog(e)n 2 )) and e INV = <V9-4/2"/ 2 . (6) 

Remark. Fischlin and Schnorr [14] also outline an alternative security reduction 
(worked out in detail and optimized for the Rabin iteration function by Sidorenko 
and Schoenmakers [28]) for the (n, e, r, Q-RSAPRG with r > 1 based on a general 
‘Computational XOR Lemma’ [30,16]. However, this alternative reduction has an 
inherent exponential run-time factor 2 2r which we do not know how to eliminate, 
even using our stronger SSRSA assumption on RSA inversion. 

5 Concrete Parameters and Estimated Performance 

Using (6) we obtain an upper bound on the pseudorandom string length l for 
a given security level (T, 8) and assumed expected run-time lower bound Tl for 
breaking the (n,e,r, 3 log(2^/<5) + 5)-CopRSA problem. Recall that the latter is 
a (1/e + e, e)-SSRSA problem when 

r/n = 1/2 - 1/e - e - (3 log(2 l/S) + 5 )/n, (7) 

and that (1/e + e, e)-SSRSA problem is conjectured to take time Tl = 
min (T F (n),Tc(n,e)), where T F (n) is a lower bound for factoring N and 
Tc(n,e) = poly(n) ■ 2 en is the time for the Coppersmith attack on (1/e + e, e)- 
SSRSA. Asymptotically, we therefore have for any constant e > 0 that T L = 
T F (n) since T F {n) is subexponential in n, so for any 1/8 = poly(n) and e > 3 
we can use r/n = 1/2 — 1/e — e — o(l), i.e. r = f2(n). The exact bound on r for 
a given modulus length n depends on the value of e such that T F (n) = Tc(n, e). 
To estimate concrete values, we used the Number Field Sieve (NFS) factoring 
run-time model from [23] (we refer to the full version of the paper for more 
details [29]) - the results are summarised in Table 1. 

Our estimates indicate that we can (with n = 6144 bit and e = 8) achieve a 
rate around 19300 cycles/byte (0.87 Mbit/s with 2.1 GHz clock) on a Pentium 
4 Processor, outputting more than 2 30 bits with provable 2 70 instructions dis- 
tinguishing run-time (under the (l/e + e, e)-SSRSA assumption). This seems to 
be close to practical requirements of some stream cipher applications (it is sev- 
eral hundred times faster than the basic Blum-Blum Shub generator outputting 
one bit per iteration with the same modulus length). Compared to the recent 
provably secure QUAD PRG construction [3] (based on the ‘MQ’ problem), our 
PRG seems to have a lower throughput, although it is difficult to make a fair 
comparison since unlike our figures above, the performance figures reported in [3] 
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Table 1. Estimate of achievable performance for provable T = 2 70 instructions distin- 
guishing time to achieve advantage 5 = using e = 8, 9 (assuming hardness of the 
CopRSA SSRSA problem) and e = 2 (assuming hardness of FSRSA problem - see Sec- 
tion 6). Throughput (’Thrpt’) columns are estimated throughput based on Wei Dai’s 
Crypto+- 1- benchmarks page [13] (for Pentium 4 2.1GHz processor) and extrapolation 
assuming classical arithmetic. 


(bit) 

log(f) 

Rate,e = 8 
(bit/mult) 

Thrpt 

(Mbit/s) 

Rate,e = 9 
(bit/mult) 

Thrpt 

(Mbit/s) 

Rate,e = 2 
(bit/mult) 

Thrpt 

(Mbit/s) 

3072 

9.3 

341 

1.68 

267 

1.31 

660 

3.2 

4096 

18.0 

460 

1.28 

360 

1.00 

899 

2.5 

5120 

25.4 

581 

1.03 

454 

0.80 

1140 

2.0 

6144 

32.0 

702 

0.87 

549 

0.67 

1383 

1.7 


(between 3000 and 4500 cycles/byte on Pentium 4) are for a ‘practical’ choice 
of parameters, smaller than those for which the security proof can be applied. A 
possible advantage of our construction is its significantly smaller static parame- 
ters (i.e. non-secret parameters defining the pseudorandom generator) of length 
n ss 5 kbit, while in [3] the static parameters are longer than 1 Mbit (this might 
allow our construction to be implemented with less code memory requirements). 
On the other hand, our construction has a longer state and is based on the hard- 
ness of factoring so is insecure against potential future quantum attacks, while 
the MQ problem in [3] may be secure even against such attacks. 


6 Potential Improvements 


6.1 Cryptanalysis of the FS-RSA Problem 

As observed in Section 4, the (n, e, r, k, Z)-FSRSA problem, although not well- 
known, gives a more direct proof of security for the RSA PRG than the SSRSA 
problem. In this section we describe a ‘Coppersmith- type’ lattice attack on 
(n, e, r, k, /)-FSRSA (which we believe is essentially optimal) and show that it is 
likely to succeed only when r/n> 1/2 — (k+l)/(2n) - l/(2e). This value oir/n 
is larger by about l/(2e)+ (ma x(k,l)/n — (k + l)/(2ri)) than that the largest 
value for which the corresponding SSRSA problem in Section 4 is secure, leading 
to improved throughput for the RSA PRG by using this stronger assumption. 

The attack on (n, e, r, k, Z)-FSRSA problem works as follows. First we reduce 
the problem to solving two modular equations in two small jmknowns z\ and 
£ 2 . Namely, given ( y = [x e ]j^,a G R Z^si = L r ([ax] N ), m = M N , k ([ax] N ), b G R 
^-n,S 2 = L r ([bx\N),U 2 = Mjv,(([fcr]jv)), we have 


x e = y (mod N), 

(8) 

si + z[ ■ 2 r ; [aa:]jv - «i| < N/2 k 

(9) 

s 2 + z' 2 ■ 2 r ; \[bx] N - u 2 \ < N/2 1 

(10) 
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where z[ < N/2 r and z' 2 < N/2 r consist of the n — r MS bits of [ax] m and 
[for] at, respectively. Let z\ = L " 1 ^ 1 ]• From (9) we conclude that \z\ — z\ \ < 
|( [aa]w-« 1 ) _ («^ 21 )| + 1 < N/2 r+k + 1 < N/2 r+k ~ 1 (for 2 r+k < N) and 
hence letting z\ = z[ — z i we obtain [ o , x]n = (si + 2 r zi) + 2 r z\ where integer 
\zi\ < N/2 r+k ~ 1 . Similarly, from (10) we obtain [6a:]jv = ( S 2 + 2 r Z2) + 2 r Z2 where 
integer |f 2 | < N/2 r+l ~ 1 (for 2 r+l < N) and z 2 = |_(«2 — s 2)/2 r J. Treating the 
last two equations for [ax] ^ and [bx] m as congruences modulo N, we eliminate 
the unknown variable x (by multiplying the second congruence by [ab ~ 1 ] ,v and 
subtracting from the first) to obtain a single linear polynomial f(zi, z 2 ) in two 
variables 21 , 22 , having the desired small unknowns Z\ , z 2 as a zero modulo N 
(i.e. f{z\,z 2 ) = 0 (mod N)), namely: 

f(zi,Z 2 ) = Of Z!+ z 2 + P, ( 11 ) 

where a = [— ab~ 1 ]N and (5 = [— a _1 62 _r (si + 2 r z\) + 2~ r (s2 + 2 r Z2)]N are 
known. Also, substituting x = a -1 (si + 2 r z\) + 2 r a~ 1 z\ (mod N ) into (8) we 
obtain a degree e univariate polynomial in z\ having the small unknown z\ as a 
zero modulo N (i.e. g(zi) = 0 (mod N )): 

g(zi ) = fa + a) e - ft, (12) 

where a = [2 _r si + z\] N and (3 = [— (a2~ r ) e y\ N are known. To find the small 
zero (z -\ , Z 2 ) of (11) and (12) we use the bivariate modular polynomial lattice 
method of Coppersmith [11] as simplified by Howgrave-Graham [20] and used 
in many subsequent works. Namely, for an integer m we use the polynomials 
f{z\, Z 2 ) and g(zi) to construct the following family of polynomials h l ,k{z\,Z 2 ) 
indexed by a pair of integers * = 0,1,..., me (which we refer to as the ‘block 
index’) and k = 0, . . . , * (which we call the ‘inner index’) for each block i: 

hi,k{zi,z 2 ) = N me -^- k+ ^i'>z^ ]e g(z 1 ) [ e i f(z 1 ,Z 2 ) l ~ k . (13) 

Observe that each of the polynomials hi^{zi,Z 2 ) has (zi.zq) as a zero modulo 
N me , because f(zi,Z 2 ) l ~ k = 0 (mod AP -fc ) and g(z i)Ltl = 0 (mod TV^-I). 

It follows that any integer linear combination of the polynomials hi^{z\,Z 2 ) 
also has (zi, Z 2 ) as a zero modulo N me . Let B\ = N/2 r+k ~ 1 and B 2 = N/2 r+l ~ 1 
denote the upper bounds derived above on \zi and \z 2 \, respectively. We set 
up a lattice C to search for linear combinations of the polynomials hi t k(zi,z 2 ), 
which have sufficiently small coefficients such that they have ( 21 ,- 22 ) as a zero 
over the integers, not just modulo N me . Given two such linearly independent 
polynomials we can take their resultant to obtain a single univariate polynomial 
equation in z-i over the integers which is easy to solve. The square basis matrix 
Be for lattice £ has rows and columns indexed by pairs of integers (*, k), where 
the (*', fc')th column of the (*, fc)tli row of Be contains the coefficient of the 
monomial z k z\ ~ k in the polynomial h l ,k{BiZ\ , B 2 Z 2 ). With this ordering, Be is 
in lower diagonal form and its determinant det(£) is the product of the diagonal 
elements of Be- Some straightforward calculations (see full paper [29]) show that 
det(£) = JV«*e-d(me)-lV(m,e)( BlB2 )DW/ 2 ) where = 1 ( me + X j ( me + 2 ) is 
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the dimension of £, D(me) = ^-to 3 + 0(m 2 ) and W(m, e) = \D(me) + ^-to 3 + 
0(m 2 ). Let h\{z\,z%) and ha(zi,Z 2 ) denote the polynomials corresponding to 
the first two vectors in the reduced basis of C returned by LLL on input Be- 
Using Lemma 1, we can show (see full paper [29]) that hi and /i 2 will have a 
common zero over Z if the following condition is satisfied: 

2 d(me)/2 det(£) ^^ < (14) 

Plugging the expression for det(£) into this condition, we obtain (Rii^) 1 / 2 < 
N D (’ me > /7 (me), where the factor 7 (me) = f (y/d(me) 2 rf ( me )/ 2 ) »(««) is inde- 
pendent of n and so is of order 0(7V°f 1 ) ) as n increases. For increasing parameter 
rn, the leading to 3 terms dominate, and hence the ratio W ^(^ l ~^ ne approaches 
asymptotically the value \ + |^| = 5 + 5^- So the attack success condition 
becomes (Rii^) 1 / 2 < #i/ 2 + 1 /( 2e )“ 0 U) for large n and to. Using Bi = 2r ^i-i 
and B 2 = 2 r+i~ 1 and N < 2 n we obtain the asymptotic attack success bound 

T - > 1/2 - l/(2e) - + 0 (i). (15) 

Although the attack is heuristic (in the sense that resultant of h\ and /i 2 may 
be a zero polynomial), our numerical experiments (see [29]) suggest that the 
attack works in practice. We conjecture that bound (15) is essentially optimal 
for ‘Coppersmith- type’ lattice attacks on (n,e,r,k,l )- FSRSA (see [29]). 

6.2 Using Even Exponents 

Assuming Hardness of FSRSA Problem. If we assume that the attack 
of the previous section is optimal so the (n, e, r, k, Z)-FSRSA problem is hard 
when the bound (15) is violated, then we can allow r/n to approach 1/4 even 
for e = 2, with only one modular squaring required per iteration. It is shown 
in [14] that with appropriate modifications to the proof, Lemma 4 holds also 
for e = 2 if we replace the iteration function x -» [x e ] N by the ‘absolute Rabin 
function’ f a (x) = |a: 2 |jv = min([x 2 ]jv, N — [x 2 ]at), choose N = pq to be a Blum 
RSA modulus with p = q = 3 (mod 4), and choose the PRG seed xq &r M n , 
where Mn = Z* v (+1) n (0, iV/2), and Zj v (+1) denotes the subset of elements 
of -r N having Jacobi symbol +1. Since f a permutes the set M N , the proof of 
Lemma 3 holds as well. Refer to Table 1 for performance of this PRG variant, 
where it is assumed that the best attack on (n,e,r,k,l)- FSRSA with r/n = 
1/2 — l/(2e) — + e takes time mm{T F {ri),2 en ), where T F (n) is the time 

needed to factor N. We stress however that this assumption is new and needs 
further study. 

Assuming Hardness of SSRSA Problem. Our reduction (Theorem 3) from 
the CopRSA to FSRSA problem also extends with some small modifications to 
the case of even e (see [29]). For e = 8, it actually gives better rate than the best 
odd exponent assuming the hardness of SSRSA (e = 9) - see Table 1. 
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7 Conclusion 

We have shown that an efficient variant of the RSA PRG is provably secure 
assuming the hardness of a well-studied variant of the RSA inversion problem 
in which some of the plaintext bits are known. 

We see two avenues for further improvement. Even using the FSRSA assump- 
tion in Section 6, the PRG rate which we can prove secure is r = (1/2 — l/(2e) — 
e — o(l))n for ‘small’ e. Can this rate be improved using a different proof (but a 
similar inversion assumption) uptor = (1 — 1/e — e — o(l))n? The other question 
is whether the factor l 2 in the reduction run-time factor 0{{£/ 8) 2 n\og{n)) can 
be significantly reduced. 

Finally we remark that besides generic applications of PRGs, our result can 
also be applied to prove security of an efficient semantically secure (IND-CPA) 
RSA-based public key encryption scheme, assuming the hardness of the SSRSA 
one-wayness problem (see [29]). An interesting open problem is to construct 
additional efficient cryptographic primitives based on this problem. 
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Abstract. Currently, the best and only evidence of the security of the 
OAEP encryption scheme is a proof in the contentious random oracle 
model. Here we give further arguments in support of the security of 
OAEP. We first show that partial instantiations, where one of the two 
random oracles used in OAEP is instantiated by a function family, can 
be provably secure (still in the random oracle model). For various se- 
curity statements about OAEP we specify sufficient conditions for the 
instantiating function families that, in some cases, are realizable through 
standard cryptographic primitives and, in other cases, may currently not 
be known to be achievable but appear moderate and plausible. Further- 
more, we give the first non-trivial security result about fully instantiated 
OAEP in the standard model, where both oracles are instantiated simul- 
taneously. Namely, we show that instantiating both random oracles in 
OAEP by modest functions implies non-malleability under chosen plain- 
text attacks for random messages. We also discuss the implications, es- 
pecially of the full instantiation result, to the usage of OAEP for secure 
hybird encryption (as required in SSL/TLS, for example). 


1 Introduction 

OAEP is one of the most known and widely deployed asymmetric encryption 
schemes. It was designed by Bellare and Rogaway [5] as a scheme based on 
a trapdoor permutation such as RSA. OAEP is standardized in RSA’s PKCS 
#1 v2.1 and is part of the ANSI X9.44, IEEE P1363, ISO 18033-2 and SET 
standards. The encryption algorithm of OAEP G,H [F] takes a public key /, which 
is an instance of a trapdoor permutation family F, and a message M, picks r 
at random and computes the ciphertext C = f(s\\t) for s = G(r ) ® M\\0 kl and 
t = H(s) ® r, where G and H are some hash functions. Despite its importance 
the only security results for OAEP are a proof of IND-CPA security assuming F 
is a one-way trapdoor permutation family [5] and a proof of IND-CCA2 security 
assuming F is partial one-way [16], both in the random oracle (RO) model, i.e., 
where G and H are idealized and modeled as random oracles [4] . However, such 
proofs merely provide heuristic evidence that breaking the scheme may be hard 
in reality (when the random oracles are instantiated with real functions). 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 210-225, 2006. 

© International Association for Cryptologic Research 2006 



On the Security of OAEP 211 


A growing number of papers raised concerns regarding soundness of the con- 
troversial random oracle model [12,19,20,17,1)14,9,21]. Moreover, most of the 
recent results question security of the practical schemes known to be secure in 
the RO model. For example, Dodis et al. [14] showed some evidence that the 
RSA Full Domain Hash signature scheme may not be secure in the standard 
model. Boldyreva and Fischlin [9] showed that even presumably strong candi- 
dates like perfectly one-way hash functions (POWHFs) [11,13] are insufficient 
to prove security of partial instantiations of OAEP (when only one of the two 
random oracles is instantiated with an instance of a POWHF). 

The motivation of this work is to gather evidence of soundness of the OAEP 
design. Like the aforementioned works our goal is to go beyond the classical 
RO heuristic and study security of the scheme when one or all of its ROs are 
instantiated. Positive results in the direction of partial instantiations would give 
further evidence that breaking OAEP for good instantiations is hard, because 
breaking the scheme would then require to exploit interdependent weaknesses 
between the instantiations or the family F. Given the negative results of [9] it 
is unlikely to expect that the properties needed from the instantiating function 
families are weak or even easily realizable, even if one accepts weaker security 
stipulations than chosen-ciphertext security for partial or full instantiations. For 
example, although it seems plausible, it is currently not even known whether 
OAEP can be proven IND-CPA secure in the standard model assuming any 
reasonable properties of the instantiating functions. 

Here we show that security proofs for instantiations of OAEP are indeed possi- 
ble. For various security statements about OAEP we specify sufficient conditions 
on G and H that are certainly weaker than assuming that the functions behave 
as random oracles, yielding “positive” security statements regarding partially in- 
stantiated OAEP. Furthermore, we give the first non-trivial security results about 
fully instantiated OAEP in the standard model, where both oracles G and H are 
instantiated simultaneously. We next discuss these results in more detail. 

The OAEP Framework. For better comprehension of our technical results we 
first reconsider the OAEP encryption scheme from a more abstract viewpoint. 
Let / be a random instance of a partial one-way trapdoor permutation family 
F, and the encryption algorithm computes a ciphertext as C = f(s\\t). Partial 
one-wayness [16] requires that it is hard to find the leading part of the pre-image 
s||i under / and to output, say, s only. If we consider now for example a family 
-Pt-ciear where each function is defined as / = <?||ID such that /(s||t) = </(s)||t 
for a trapdoor permutation g, then this family F t . c | ear is clearly partial one-way 
(and also a trapdoor permutation) . Hence, this example describes a special case 
OAEP G ’ H [F t . c iear] for the partial one-way trapdoor permutation family F t _ c i ear 
where each function outputs the f-part in clear. In particular, the security proof 
in the random oracle model for OAEP and general partial one-way families 
(including RSA as a special case) [16] carries over, but we outdo this by giving 
positive results of partial instantiation for such families F t -ciear- 

Towards the standard-model security results for fully instantiated OAEP we 
take the above viewpoint one step further and look at OAEP G ’ H [F| sb || t . c | ear ] for 
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families -F| s b||t-dear where each function / outputs the k\ least significant bits of 
s = G{r ) ® M ||0 fcl (which equal those bits of G(r)) and t in clear. Since each 
function in E| s b||t-ciear is also a member in F t _ c | ear the partial instantiation results 
above remain true for OAEP 6 '’^ [F] sb | | t _ dear ] ■ 

We note that security of partial instantiations of O AEP g ’ H [F t _ c | ear ] and of 
OAEP G ’ H [i 7 i sb || t . C | ear ], although for qualified partial one-way trapdoor families, 
also have implications for the popular OAEP c,// [RSA] case. They show that 
any successful attacks on instantiations for RSA would have to take advantage 
of specific properties of the RSA function. Generic attacks which would also 
work for F t _ C | ear or W| sb | | t - c i ear are then ruled out. 

Partial Instantiation Results. Positive results about partial instantiations 
were first shown in [9] for the PSS-E encryption scheme. There it was also shown, 
however, that perfectly one-way hash functions cannot be securely used to in- 
stantiate either one of the ROs in OAEP. These negative results about partial 
instantiation through POWHFs hold for OAEP G,i? [F t . c i e ar] as well. Yet we show 
that partial instantiations are possible by switching to other primitives. 

To instantiate the G-oracle in OAEP G,i? [F t _ C | ear ] while preserving IND-CCA2 
security (in the random oracle model), we introduce the notion of a near-collision 
resistant pseudorandom generator. For such a generator G it is infeasible to find 
different seeds r ^ r' such that predetermined parts of the generator’s out- 
puts G(r), G(r') match (they may differ on other parts). To be more precise 
for OAEP G,H [F t . c iear] the generator G is not allowed to coincide on the k\ least 
significant bits, bequeathing this property to the values s = G(r) ® M\\0 kl and 
s' = G(r') ® M\\0 kl in the encryption process. We discuss that such pseudoran- 
dom generators can be derived from any one-way permutation. 

Instantiating the H oracle in OAEP turns out to be more challenging. To this 
end we consider non-malleable pseudorandom generators, where a given image 
of a seed r should not help significantly to produce an image of a related seed 
r'. Instantiating H through such a non-malleable pseudorandom generator the 
resulting scheme achieves NM-CPA security, where it is infeasible to convert a 
given ciphertext into one of a related message. Although this security notion for 
encryption schemes is not as strong as IND-CCA, it yet exceeds the classical 
IND-CPA security. That is, Bellare et al. [3] show that NM-CPA implies IND- 
CPA and is incomparable to IND-CCA1 security. Hence, NM-CPA security of 
schemes lies somewhere in between IND-CPA and IND-CCA2. 1 

We also show that it is possible to extend the above result and to instantiate 
the H - oracle in OAEP G,H [F t . c | ear ] without even sacrificing IND-CCA2 security 
(again, for random oracle G). This however requires the very strong assump- 
tion for the pseudorandom generators which then must be non-malleable under 
chosen-image attacks. For such a generator non-malleability should even hold if 
the adversary can learn seeds of chosen images, and such generators resemble 

1 We mitigate the notion of NM-CPA such that the relation specifying related messages 
and the distribution over the messages must be fixed at the outset. This mildly affects 
the relationship to the IND notions, but we omit technical details in the introduction. 
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chosen-ciphertext secure encryption schemes already. Hence, we see this partial 
instantiation as a mere plausibility result that one can presumably instantiate 
oracle H and still have IND-CCA2 security. This is contrast to the results in [12] 
for example, showing that there are encryption schemes secure in the random 
oracle model but which cannot be securely realized for any primitive, not even 
for a secure encryption scheme itself. 

As for the existence of non-malleable pseudorandom generators, we are not 
aware if they can be derived from standard cryptographic assumptions, and 
we leave this as an interesting open problem. We also remark that, while non- 
malleability under chosen-image attacks seems to be a rather synthetic property, 
plain non-malleability as required in the NM-CPA result appears to be a modest 
and plausible assumption for typical instantiation candidates like hash functions. 
For instance, it should not be easy to flip bits in given hash value, affecting bits 
in the pre-image in a reasonable way. 

Full Instantiation Result. Our main result is a standard-model security 
proof for a fully instantiated OAEP. It is not very reasonable to expect a proof 
of IND-CCA2 security of OAEP in the standard model, even assuming very 
strong properties of instantiating functions (although we all would like to see 
such result). As we mentioned above, we are not aware if one can even show 
IND-CPA security of fully instantiated OAEP. 

Nevertheless we show that OAEP in the standard model can be proven to 
satisfy a rather strong notion of security notion, namely $NM-CPA. It is slightly 
weaker than the standard non-malleability notion NM-CPA in that there is a 
restriction that an unknown random message is encrypted in the challenge ci- 
phertext. A bit more formally this security notion $NM-CPA requires that given 
a public key and a ciphertext of a challenge message chosen uniformly at random 
from a large message space it is hard to compute a valid ciphertext of a message 
non-trivially related to the challenge message. Note that this is consistent with 
how asymmetric schemes are typically used to build hybrid encryption schemes, 
where the key of the symmetric scheme is derived from a random string en- 
crypted with the public-key scheme. To appreciate the power of the $NM-CPA 
definition we note that it implies for example the notion of OW-CPA and, more- 
over, Bleichenbacher’s attack [7] on PKCS # 1 vl.5 is not possible for $NM-CPA 
secure schemes. 2 Thus our result provides better evidence that OAEP resists 
such attacks, and specifies what properties of the instantiating functions are 
sufficient for this. 

For our full instantiation proof we consider OAEP G,H [F] s b|| t . c | ear ] where the 
Apart and the least significant bits of the s-part are output in clear. To achieve 
the $NM-CPA security notion under full instantiation of both oracles G and H in 

2 Bleichenbacher’s attack works by generating a sequence of ciphertexts from a given 
ciphertext and verifying validity of the derived ciphertexts by querying the decryp- 
tion oracle. While requiring adaptive queries to recover the entire message, one can 
view the message in first derived ciphertext in such an attack as having a small (but 
not negligible) probability of being non-trivially related to the original (possibly 
random) message. 
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OAEP G ’ H [.F| sb || t _ C | ear ] we need to augment the near-collision resistant generator G 
by a trapdoor property, allowing to invert images efficiently given the trapdoor 
information; such generators exist if trapdoor permutations exist. We again use 
a non-malleable pseudorandom generator H for instantiating H. Assuming that 
the generators above exist we show that OAEP G ’ H [.F] sb || t _ C | ear ] is $NM-CPA. 3 

To give further evidence of the usefulness of the $NM-CPA notion we finally 
show that we can derive a hybrid encryption scheme that is NM-CPA in the ran- 
dom oracle model from an asymmetric scheme secure in the sense of $NM-CPA. 
For this, one encrypts a random string r with the asymmetric scheme and then 
runs r through an idealized key derivation process to obtain K = G(r), modeled 
through a random oracle G. The actual message is then encrypted with a sym- 
metric scheme for key K. The construction of such hybrid encryption schemes 
resembles the encryption method in SSL/TLS [18]. There, simply speaking, the 
client encrypts a random string under the server’s public key and then both par- 
ties derive the actual symmetric key K by hashing the random string iteratively. 
If one considers this hashing step as an idealized process then our results pro- 
vide a security guarantee for this technique. Observe that this result is still cast 
in the random oracle model; yet it separates the security of the key derivation 
process from the security of the asymmetric encryption scheme and can be seen 
as a partial instantiation for the random oracles in the encryption algorithm. 

Prospect. The random oracle model should provide confidence that the design 
of a cryptographic scheme is sound, even if a security proof in the standard model 
for this scheme is missing. The heuristic argument is that “good” instantiations 
of random oracles then give evidence that no “clever” attacks against a scheme 
work. But the well-known negative results about the random oracle principle 
have raised some doubts how much confidence this security heuristic really gives. 

The approach we take here towards challenging the doubts is to trade secu- 
rity goals against partial or full instantiations of random oracles. Our “test case” 
OAEP shows that this is a viable way and gives more insights in “how clever” 
attacks against the instantiations would have to be. And while this still does 
not rule out the possibility of extraordinary attacks we see this as an important 
supplement to the random oracle heuristic and to the question how instanti- 
ating candidates should be selected, hopefully inciting other results along this 
direction. 

2 Preliminaries 

If S is a set then x <— S means that the value x is chosen uniformly at random 
from S. If A is a deterministic (resp. randomized algorithm) with a single output 
then x <— A(y, z, . . . ) (resp. x A(y, z, . . . )) means that the value x is assigned 
the output of A for input (y,z,...). An algorithm is called efficient if it runs 

3 Very recently, Brown [2] has shown that RSA-OAEP cannot be proven OW-CPA 
under certain security reductions. Our approach here does not fall under this kind of 
reductions and does not contradict his result. We provide more details in Section 3.2. 
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in polynomial time in the input length (which, in our case, usually refers to 
polynomial time in the security parameter). 

A function family F = (J fc F{l k ) consists of sets of functions F(l k ) = {/ : 
{0,l} m ( fc ) — > {0,1}”W}. It is called a family of trapdoor permutations if for 
each / e F{l k ) there exists / _1 such that /(/ _1 ) = ID. We usually identify the 
functions / and / -1 simply with their descriptions, and write (/, / -1 ) <— F(l k ) 
for the random choice of / (specifying also / -1 ) from the family F(l k ). Unless 
stated differently the minimal assumption about a function family in this paper 
is that it is one-way, and that it is efficiently computable. 


2.1 The OAEP Framework 

The OAEP encryption framework [5] is parameterized by integers k, ko and k\ 
(where ko, k% are linear functions of k) and makes use of a trapdoor permutation 
family F with domain and range {0, l} fe and two random oracles 

G: {0, l} ko -+ {0, l} k ~ k ° and H : {0, -> {0, l} fc ° . 

The message space is {0, l} fc_fco_fel . The scheme OAEP G,J? [.F] = (/C, £, D) is 
defined as follows: 

- The key generation algorithm fC( l k ) picks a pair (/, / _1 ) <— F(l k ) at ran- 
dom. Let pk specify / and let sk specify / -1 . 

- The encryption algorithm £{pk,M) picks r (0, l} fe °, and computes s <— 
G(r) ® (M||0 fel ) and t <— H(s) ® r. It finally outputs C <— f(s\\t). 

- The decryption algorithm T>(sk,C) computes s\\t <— / _1 ((7), r <— t® FI (s) 
and M <— s ® G(r). If the last k\ bits of M are zeros, then it returns the 
first k — ko — ki bits of M, else it returns _L. 

The encryption scheme OAEP G,H [F] is IND-CCA2 secure in the RO model if 
the underlying trapdoor permutation family F is partial one-way [16]. 

As a side effect of the partial one-wayness result for OAEP [16] we can im- 
mediately conclude security of a particular OAEP variant, where we use partial 
one-way trapdoor permutation family F t -ciear based on a trapdoor permutation 
function family F. Namely, each function /t- c iear : {0, l} k — ► {0, l} k in Ft-clear 
is described by /t- c iear(s||t) = /(s)||ID(t) = /(s)||t for a one-way permutation 
/ : {0, l} fc_fc ° — > {0, l} ,c ~ /c °, i.e., the t-part is output in clear. A random instance 
(/t-clear, / t Tclear) -Pt-ciear(l fe ) is sampled by picking (/, / _1 ) <— F(l fe ) and set- 
ting /t-ciear as above (the inverse / t 7 c } ear is straightforwardly defined) . Then F t -ciear 
is clearly partial one-way and thus OAEP G,H [F t . C | ear ] IND-CCA2 secure in the 
random oracle model. 

Analogously, we consider another important variant of OAEP where we also 
output the k\ least significant bits lsb^ (s) of s in clear and merely apply the 
trapdoor function / to the leading k — ko — k\ bits of s. That is, a random 
function /i $ b||t-ciear ; {0, l} fc — > {0, l} fc in F| s b||t-ciear(l fc ) is described by a random 
trapdoor permutation / : {0,l} fc-feo-fcl — > {0, l} fc_fco_fcl and /i s b||t-dear(s|K) = 
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/(si...fc-fc 0 -fci)l|l s bfci(s)||i- Note that since s = G(r) ®M||0 fel this means that we 
output the least significant bits lsb^ (G(r)) of G(r) and t in clear. For this reason 
we sometimes write s||7 instead of s and denote by 7 the k\ bits lsb^ (G(r)) 
such that /isb||t-ciear(s||7||t) = /(s)||7||t. F|sb. i-dear is clearly partial one-way and 
OAEP G ’ H [F] sb || t _ dear ] is IND-CCA2 secure in the random oracle model. 

In both cases we often identify F t -dear resp. Fj sb || t _ dear simply with the under- 
lying family F and vice versa. In particular we often denote a random function 
from -Ft-dear or Fisb||t-ciear simply by /. We call F t . c i ear resp. F/ sb || t _ c / ear the induced 
family of F. 

Random Oracle Instantiations. For an instantiation of the random oracle 
G in OAEP g,h [F] we consider a pair of efficient algorithms Q = (KGenG, G) 
where KGenG on input l k returns a random key K and the deterministic algo- 
rithm 4 G maps this key K and input r e {0, l} k ° to an output string G (K,r) = 
G k{t) of k — fco bits. Then we write OAEP®’ H [F] for the encryption scheme 
which works as defined above, but where the key pair (sic, pk) is now given 
by sk = (f-\K) and pk = ( f,K ) and where each evaluation of G(r) is re- 
placed by G k(t). We say that OAEF^’ H [F) is a partial G -instantiation of OAEP 
through Q. 

A partial H -instantiation OAE^' U [F] of OAEP through H and partial in- 
stantiations of the aforementioned OAEP variations are defined accordingly. If 
we instantiate both oracles G, H simultaneously then we speak of a full instan- 
tiation OAEF^' h [F] of OAEP through Q and H. 

2.2 Security of Encryption Schemes 

In this section we review the relevant security notions for asymmetric encryp- 
tion schemes AS = (K,£,V). In addition to indistinguishability under chosen- 
plaintext and chosen-ciphertext attacks (IND-CPA, IND-CCA1, IND-CCA2) — 
see for instance [3] for formal definitions — we occasionally also rely on the 
notions of non- malleability. This notion was introduced and formalized in [15,3]. 
The most basic version is called NM-CPA and says that a ciphertext of a mes- 
sage M* should not help to find a ciphertext of a related message M, where 
the distribution of message M* is defined by an efficient distribution M and 
related messages are specified by an efficient relation R, both chosen by the 
adversary. 

Definition 1 (NM-CPA). Let AS be an asymmetric encryption scheme. Then 
AS is called secure in the sense of NM-CPA if for for every efficient algorithm 
A the following random variables Exp^[^ pa " 1 (k) , Exp^™[J pa " 0 (fc) are compu- 
tationally indistinguishable: 


In general, the instantiating functions can be randomized. This requires some care 
with the decryption algorithms and possibly introduces new attacks. Since our results 
all hold with respect to deterministic algorithms this is beyond our scope here; see 
[9] for more details. 
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Experiment Exp^™^ pa " 1 (k) 

(pk, sk) 4- /C(l fc ) ' 

(M, state) 4- A(pk) 

M* 4- M 
C* 4- £ pi (M*) 

(tf, C) 4- M(state, C") 

M <- X> si (C) 

Return 1 iff 

(C^C*)AR(M*,M) 


Experiment Exp^ r s n ^ pa "°(/c) 

(pk, sk) 4- K(l k ) 

(. M , state) 4- A(pk) 

M* 4- M ; M' 4- M 
C' 4- £ pi (M') 

(/?,(?) 4- A(state,C') 

M <- V sk (C) 

Return 1 iff 

(C^C')AR(M*,M) 


R is assumed that the messages in the support of M. have equal length. 


We note that the original definition of NM-CPA in [3] actually allows the adver- 
sary to output a vector of ciphertexts. Our results for OAEP merely hold with 
respect to binary relations and therefore we restrict the definition here to such 
relations. We remark that the aforementioned relationships of NM-CPA to the 
indistinguishability notions, e.g., that this notion is strictly stronger than the 
one of IND-CPA, hold for relations of arity two as well. 

We define a weaker security notion is that of $NM-CPA where the adversary 
does not have the ability to choose a distribution over the messages, but where 
a random message is encrypted and the adversary tries to find a ciphertext of a 
related message. 


Definition 2 (SNM-CPA). Let AS = (JC, £, D) he an asymmetric encryption 
scheme and let M. for input l fe describe the uniform distribution over all i(k) bit 
strings for some polynomial t. Then AS is called secure in the sense of $NM-CPA 
if for for every efficient algorithm A and for every efficient relation R the fol- 
lowing random variables Explg"^' (k) , Expl'g^'^’^fc) are computationally 
indistinguishable: 


Experiment Exp A g^ ^^(fc) 
(pk, sk) 4- /C(l k ) 

M* 4- M(l k ) 

C* 4- £ pk (M*) 

C 4- A(pk,C*,(R)) 

M <- V sk (C) 

Return 1 iff 

(C ± C*) A R(M*,M) 


Experiment Exp A 5 “" c ^(fc) 

(pk, sk) 4- K,(l k ) 

M* 4- M(l k ) ; M't-M( l k ) 
C' 4- £ pk (M’) 

C 4- A(pk, C' , (R)) 

M «- V sk (C) 

Return 1 iff 

(C ± C') A R(M*,M) 


While the notion of $NM-CPA is weaker than the one of NM-CPA — in addition 
to the restriction to uniformly distributed messages the relation is now fixed in 
advance — it yet suffices for example to show security in the sense of OW-CPA 
(where the adversary’s goal is to recover a random message in a given cipher- 
text) and it also covers Bleichenbacher’s attack on PKCS #1 vl.5. In Section 5 
we also show that the notion of $NM-CPA is enough to derive NM-CPA secu- 
rity under an idealized key derivation function. Namely, one encrypts a random 
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string r under the $NM-CPA public-key encryption scheme and then pipes r 
through a random oracle G to derive a key AT = G(r ) for the symmetric scheme. 
In fact, one can view the SSL encryption method where the client sends an 
encrypted random key to the server and both parties derive a symmetric key 
through a complicated hash function operation as a special case of this method. 
Then this result about lifting $NM-CPA to NM-CPA security, together with the 
$NM-CPA security proof for the full instantiation of OAEP| s b|| t _ c | ear , provides an 
interesting security heuristic (as long as the key derivation process behaves in an 
ideal way). 

2.3 Pseudorandom Generators 

Typically, the minimal expected requirement when instantiating a random oracle 
is that the instantiating function describes a pseudorandom generator, consist- 
ing of the key generation algorithm KGen producing a public key AT and the 
evaluation algorithm G mapping a random seed r with key K to the pseudo- 
random output. Usually the output of this generator should still look random 
when some side information hint(r) about the seed r is given. This probabilistic 
function hint must be of course uninvertible, a weaker notion than one-wayness 
(cf. [11]). 

We also incorporate into the definition the possibility that the key generation 
algorithm outputs some secret trapdoor information AT -1 in addition to K. Given 
this information AT -1 one can efficiently invert images. If this trapdoor property 
is not required we can assume that K~ x — T and often omit K~ l in the key 
generator’s output. 

Definition 3 ((Trapdoor) Pseudorandom Generator). Let KGen be an ef- 
ficient key- generation algorithm that takes as input l k for k € N and outputs a 
key K ; let G be an efficient deterministic evaluation algorithm that, on input K 
and a string r € {0, l} fe returns a string of length £(k). Then Q = (KGen, G) is 
called a pseudorandom generator (with respect to hint,) if the following random 
variables are computationally indistinguishable: 

- Let K <— KGen(l*% r 4- {0, l} k , h <- hint(r), output (AT, G(K, r),h). 

— Let K <— KGen(l fe ), r 4- {0,l} fc , h <— hint(r), u <— ■ {0,1}^"), output 
(K,u, h). 

Furthermore, if there is an efficient algorithm TdG such that for any k £ N, 
any (K, AT -1 ) <- KGen(l fc ), any r e {0, l} k we have G(AT, TdG(Lf" 1 , G(K, r))) = 
G(Af, r) then (KGen, G, TdG) is called a trapdoor pseudorandom generator. 

For our results about OAEP we often need further properties from the pseudoran- 
dom generator, including near-collision resistance and non-malleability. The for- 
mer means that given a seed r it is hard to find a different seed r' such that G (K, r) 
and G(A', r') coincide on a predetermined set of bits (even if they are allowed to 
differ on the other bits). Non-malleability refers to generators where the genera- 
tor’s output for a seed should not help to produce an image of a related seed. We 
give precise definitions and details concerning existential questions on site. 
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3 Partial Instantiations for OAEP 

In this section we prove security of partial instantiations of OAEP. Our results 
show that one can replace either one of the random oracle in OAEP by reasonable 
primitives and still maintain security (in the random oracle model) . 

3.1 Instantiating the G-Oracle for IND-CCA2 Security 

We first show how to construct a pseudorandom generator with a special form 
of collision-resistance. This property says that finding an input r' to a ran- 
dom input r, such that G(K,r) and G(K,r') coincide on the k least significant 
bits lsbfc(G(Af, r)), lsb/ c (G(A', r')), is infeasible. According to comparable collision 
types for hash functions [6] we call this near- collision resistance. 

Definition 4 (Near-collision Resistant Pseudorandom Generator). A 

pseudorandom generator Q = (KGen, G) is called near- collision resistant (for the 
least significant k bits) if for any efficient algorithm C the following holds: Let 
K <— KGen(l fc ), r <— {0,l} fe , r ' C(K,r). Then the probability that r ^ r' but 
lsbk(G(K,r)) = lsbk(G(K,r')) is negligible. 

Near-collision resistant generators can be built, for example, from one-way per- 
mutations via the well-known Yao-Blum-Micali construction [22,8]. In that case, 
given a family G of one-way permutations the key generation algorithm 
KGen Y BM(l fc ) of this generator simply picks a random instance g : (0,l} fc — > 
(0, l} fe of G( l fc ), and G Y B M (<?,r) = (hb(r),hb(</(r)), . . . .hb^-^r)), <?"(r)) is 
defined through the hardcore bits hb of g. Since g is a permutation different 
inputs r ^ r' yield different output parts g n (r) ^ g n (r'). 

Given a near-collision resistant pseudorandom generator we show how to in- 
stantiate the G-oracle in OAEP G,H [F t -ciear] for the family F t -ciear which is induced 
by a trapdoor permutation family F (i.e., where a member / : {0,l} fe_fc ° — > 
{0, l} fe_fe ° of F is applied to the fc-bit inputs such that the lower &o bits are 
output in clear). 

Theorem 1. Let Q = (KGenG,G) be a pseudorandom generator which is near- 
collision resistant (for the k\ least significant bits). Let F be trapdoor permutation 
family and let F t . c i ear be the induced partial one-way trapdoor permutation fam- 
ily defined in Section 2.1. Then the partial G -instantiation OAEF^ ,H [F t . c / ear ] of 
OAEP through Q is IND-CCA2 in the random oracle model. 

The full proof appears in the full version [3]. The idea is to gradually change 
the way the challenge ciphertext (encrypting one of two adversarially chosen 
messages, the hidden choice made at random) is computed in a sequence of 
games. We show that each of these steps does not change an adversary’s success 
probability of predicting the secret choice noticeably: 

— Initially, in Game 0 the challenge ciphertext /(s*)||t* for message M* is com- 
puted as in the scheme’s description by s* = G (K, r*) ® M* | |0 fel for the near- 
collision resistant generator G and t* = H(s*) ® r* for oracle H. 
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In Game 1 the ciphertext is now computed by setting s* = G (K, r*) © M* |0 ,Cl 
as before, but letting t* = « © r* for a random w which is independent of 
H(s*). Because H is a random oracle this will not affect the adversary’s 
success probability, except for the rare case that the adversary queries H 
about s*. 

- In Game 2 , in a rather cosmetic change, we further substitute t* = a)® r* 
simply for t* = u, making the f-part independent of the generator’s pre- 
image r*. 

- in Game 3 we use the pseudorandomness of generator G to replace s* = 
G(K, r*) © M* | |0 fel by s* = u © M* | |0 fel for a random u. 

Since ciphertexts in the last game are distributed independently of the actual 
message security of the original scheme follows, after a careful analysis that de- 
cryption queries do not help; this is the step where we exploit that H is still a 
random oracle and that Q is near-collision resistant. Namely, the near-collision 
resistance prevents an adversary from transforming the challenge ciphertext for 
values r * , s* into a valid one for the same s* but a different r; otherwise the least 
significant bits of s* = G (K,r*) © M*\\0 kl = G(K, r) ;f ©M||0 fcl would not coin- 
cide and the derived ciphertext would be invalid with high probability. Given 
this, the adversary must always use a “fresh” value s when submitting a ci- 
phertext to the decryption oracle, and must have queried the random oracle 
H about s before (or else the ciphertext is most likely invalid). But then the 
adversary already “knows” r = t © H(s) — recall that for F t _d ear the f-part is 
included in clear in ciphertexts — and therefore ’’knows” the (padded) message 
M\\z = s © G (K, r) encapsulated in the ciphertext. 

3.2 Instantiating the Ff-Oracle 

To instantiate the H- oracle we introduce the notion of a non-malleable pseudo- 
random generator. For such a pseudorandom generator it should be infeasible to 
find for a given image y* = Hjf(s*) of a random s* a different image y = Hjf(s) of 
a related value s, where the corresponding efficient relation R(s* , s) must be de- 
termined before seeing K and y*. 5 More precisely, we formalize non- malleability 
of a pseudorandom generator by the indistinguishability of two experiments. For 
any adversary B it should not matter whether B is given f(s*), y* = H /<-(«*) or 
f(s*), y' = V\k(s') for an independent s' instead: the probability that B outputs 
f(s) and y = H^(s) such that s is related to s* via relation R should be roughly 
the same in both cases. 6 

5 We are thankful to the people from the Ecrypt network for pointing out that a 
possibly stronger definition for adaptively chosen relations allows trivial relations 
over the images and cannot be satisfied. 

6 Adding the image under the trapdoor permutation uniquely determines the pre- 
image of the pseudorandom generator’s output and enables us to specify R(s*,s) 
via the pre-images. Since this also bundles the security of the trapdoor permutation 
and the generator, Brown’s recent impossibility result about security reductions for 
OAEP [2] does not apply. 
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Definition 5 (Non-Malleable Pseudorandom Generator). Assume H = 
(KGenH, H) is a pseudorandom generator (which is pseudorandom with respect to 
hint(x) = for (/, / _1 ) <— F(l fe ) from the trapdoor function family F). 

Then H is called non-malleable with respect to hint if for any efficient algorithm 
B and any efficient relation R the following random variables Exp^”^ c ™^“ ( k ), 
Exp(^ c ™^'°(fc) are computationally indistinguishable, where the experiments 
are defined as follows. 


Experiment Exp”g 

K 4 - KGenH(l fc ) 

(f,f~i)<?-F 
s* 4 - { 0 , l} k 
y* 4- Hk(«*) 

(z,y)±B(K,f,f(s*),y*) 
s f~\z) 

Return 1 iff 

R(s*,s) A H#(s) = y A s* ± s 


Experiment Exp^g'p^f k) 

K 4 KGenH(l fe ) 

(/> / _1 ) F 

s* 4- {0, l} k ; s' 4- {0, l} fc 
y' 4- Hk(s') 

(z,y) - 4 - B{K, f,f(s*),y r ) 
s<~f H*) 

Return 1 iff 

R{s*, s) A H^-(s) = y A s* ^ s 


Given a non-malleable pseudorandom generator we can prove NM-CPA security 
of the partial //-instantiation of OAEP, under the restriction that the adversar- 
ial chosen message distribution and relation are defined at the beginning of the 
attack via (M , R, state) <— A{l k ) and thus depend only the security parameter. 
This relaxed notion still implies for example IND-CPA security (but for messages 
picked independently of the public key) , is still incomparable to IND-CCA1 se- 
curity, and also thwarts Bleichenbacher’s attack. We call such schemes NM-CPA 
for pre-defined message distributions and relations. 


Theorem 2. Let F be a trapdoor permutation family and let F t . c i ear be the in- 
duced partial one-way trapdoor permutation family. Let H = (KGenH, H) be a 
pseudorandom generator (with respect to hint(x) = (f,f(x)) for (/, / _1 ) <— 
F(l k )). Assume further that is non-malleable with respect to hint. Then the 
partial H -instantiation OAEP G,rt [F t . c i ear \ through 7i is NM-CPA for pre-defined 
message distributions and relations in the random oracle model. 

The proof idea is as follows. Assume that an attacker, given a ciphertext for 
some values r*,s* (which uniquely define the message in a ciphertext), tries 
to prepare a related ciphertext for some value r ^ r*, without having queried 
random oracle G about r before. Then such a ciphertext is most likely invalid 
because with overwhelming probability the least significant bits of s © G(r) are 
not zero. Else, if r = r*. then we must have f(s) f(s*) and s ^ s*, since 
the adversarial ciphertext must be different for a successful attack. But then 
the values H (K, s*) and H (K, s) for different pre-images must be related via the 
ciphertext’s relation, contradicting the non-malleability of the generator H. In 
any other case, if r ^ r* and r is among the queries to G, the random value 
G(r*) is independent of G(r). So must be the messages M* ||0 fel = sr0G(r*) 
and M\\0 kl = s ® G(r), as required for non- malleability. Details can be found in 
the full version [3] . 
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Replacing the H- oracle without violating IND-CCA2 security is more ambi- 
tious and we require a very strong assumption on the pseudorandom 
generator, called non-malleability under chosen-image attacks (where the ad- 
versary can also make inversion queries to the trapdoor pseudorandom genera- 
tor). Since any pseudorandom generator with this property is already close to 
a chosen-ciphertext secure encryption scheme, we rather see this as an indica- 
tion that a partial instantiation might be possible and that separation results 
as [12,19,20,1,17,21,9,14] seem to be hard to find. The formal treatment of the 
following and the proof appear in the full version [10] . 

Theorem 3. Let F be trapdoor permutation family and let F t . c i ear be the induced 
partial one-way trapdoor permutation family defined in Section 2.1. Let 'Ll = 
(KGenH, H,TdH) be a trapdoor pseudorandom generator which is non-malleable 
under chosen-image attacks (with respect to hint(a:) = (/, f(x)) for (/, / -1 ) <— 
F t - c iear0- k ))- Then the partial H -instantiation OAEP G ’ H [F t . c i ear ] through LI is 
IND-CCA2 in the random oracle model. 

4 Full Instantiation for OAEP 

In this section we prove that there exists a full instantiation of OAEP| s b|| t - C iear 
which is secure in the sense of $NM-CPA in the standard model, implying for 
example that the scheme is OW-CPA. Recall that in OAEP| sb || t _ C | ear we write 
s ||7 = G(s) ® M ||0 fel instead of s to name the least significant bits explicitly. 

To prove our result we need a near-collision resistant trapdoor pseudoran- 
dom generator, i.e., which combines near-collision resistance with the trapdoor 
property. Such generators can be easily built by using again the Blum-Micali- 
Yao generator, but this time by deploying a trapdoor permutation g instead of 
a one-way permutation, i.e., the generator’s output for random r is given by 
Gybm(<?t) = (hb(r),hb(g(r , )) ) . . . , hb(<jf n_1 (r)),< 7 n (r)). Letting AT -1 contain the 
trapdoor information g~ l algorithm TdG can easily invert the k\ least significant 
bits y of the output to recover a pre-image r. 

To be precise we make use of two additional, specific properties of the Blum- 
Micali-Yao generator. First, we assume that recovering a pre-image is possible 
given the k\ least significant bits only, i.e., without seeing the remaining part 
of the image. To simplify the proof we furthermore presume that the ki least 
significant bits of the generator’s output are statistically close to uniform (over 
the choice of the seed). 7 We simply refer to generators with the above proper- 
ties as a near- collision resistant trapdoor pseudorandom generator (for the least 
significant k bits). 

Theorem 4. Let F be trapdoor permutation family and let E/ sfa || t . c / ear be the in- 
duced partial one-way trapdoor permutation family. Let Q = (KGenG, G) be a 

' It is easy to adapt the proof to the more general case of arbitrary distributions of the 
least significant bits, as long as they support extraction. But this would also require 
to change the definition of the non-malleable pseudorandom generator Gkg(s|| 7) to 
support arbitrary distributions on the 7 -part. 
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near- collision resistant trapdoor pseudorandom generator (for the k\ least sig- 
nificant bits). Let TL = (KGenH, H) be a generator which is pseudorandom and 
non-malleable with respect to hint(s| |'y) = (/, /(s)||7) for (/, / _1 ) <— F(l k ). 
Then the full instantiation OAEP^’ H [Fi s i,\\ t _ c i ear ] through Q and Tl is $NM-CPA. 

The proof appears in the full version [10]. The basic idea is similar to the one 
of NM-CPA security for the partial //-instantiation. The important difference 
is that the randomness of the encrypted message M in a ciphertext /(s)||7||f 
for s ||7 = G k{t) ®M ||0 fel helps to overcome otherwise existing “circular” de- 
pendencies between Q and TL in the computations of ciphertexts (which, in the 
partial instantiation case, do not occur due to the fact that G is a random oracle). 

5 Hybrid Encryption from SNM-CPA Schemes 

We show that a public-key scheme which is secure in the sense of $NM-CPA 
(i.e., for pre-defined relations), together with an IND-CCA2 secure symmetric 
scheme suffices to build a NM-CPA secure hybrid scheme in the random oracle 
model (i.e., even for adaptively chosen message distributions and relations). 

Construction 1. Let AS = (£IC asym ,£ asym ,'D asym ) be an asymmetric encryp- 
tion scheme and let SS = (£IC syrn , £ sy m , F > sym) be a symmetric encryption scheme. 
Let G be a hash function mapping k-bit strings into the key space of the symmet- 
ric scheme. Then the hybrid encryption scheme AS' = (£Kf asym , £' asym , iy n ttt rTri ) is 
defined as follows. 

— The key generation algorithm £K.' asym (l k ) outputs a key pair ( sk,pk ) 
£JC asym (l k ). 

— The encryption algorithm £' asym on input pk, M picks r <— {0, l} k , computes 
Gasym £ a sym(pk, r), C sym £ sym (G(r ) , M) and returns (C asym ,C sym ). 

— The decryption algorithm D [ ' m on input {C asym ,C sym ) and sk computes 
r <— T> asym (sk, C asym ), M <— T> sym (G(r), C sym ) and returns M. 

Theorem 5. Let AS = {£LC asym ,£ asym ,'D asym ) be an asymmetric encryption 
scheme which is $NM-CPA. Let SS = {£lC sym ,£ sym , D sym ) be an IND-CCA2 
symmetric encryption scheme. Let G be a hash function and assume AS = 
{.£fc' asym ,,£' asyrn i'D'as V m) the hybrid encryption scheme defined according to 
Construction 1. Then AS is NM-CPA secure in the random oracle model. 

The proof is in the full version [10] and actually shows that the scheme is 
NM-CPA with respect to the stronger notion where the adversary outputs a 
sequence C = (Ci, . . . , C m ) of ciphertexts and the success is measured accord- 
ing to R(M*, M) for M = (Mi, . . . , M m ). 
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Abstract. Recently, Bellare and Palacio succeeded in defining the plain- 
text awareness, which is also called PA2, in the standard model. They 
propose three valiants of the standard model PA2 named perfect, statis- 
tical, and computational PA2. In this paper, we study the relationship 
between the standard model PA2 and the property about message hiding, 
that is, IND-CPA. Although it seems that these two are independent no- 
tions at first glance, we show that all of the perfect, statistical, and com- 
putational PA2 in the standard model imply the IND-CPA security if the 
encryption function is oneway. By using this result, we also showed that 
“PA2 + Oneway => IND-CCA2” . This result shows the “all-or-nothing” 
aspect of the PA2. That is, a standard model PA2 secure public-key en- 
cryption scheme either satisfies the strongest message hiding property, 
IND-CCA2, or does not satisfy even the weakest message hiding prop- 
erty, onewayness. We also showed that the computational PA2 notion is 
strictly stronger than the statistical one. 

Keywords: Plaintext Awareness, Standard Model. 


1 Introduction 

The Plaintext Awareness [BR94, BDPR98, HLM03, BP04], which is also known 
as PA2, is a notion about the security of a public-key encryption scheme. Intu- 
itively, we say that a public-key encryption scheme satisfies the PA2, if no adver- 
sary can generate a ciphertext “without knowing” the corresponding plaintext. 

The PA2 notion is important, because it implies the chosen ciphertext security 
[BR94, BDPR98, BP04], if a public-key encryption scheme is the IND-CPA 
secure. Moreover, it is useful when one instantiates the ideal functions in the 
Dolev-Yao model [DY83], since the relation between the PA2 and the Dolev-Yao 
model is known [HLM03]. 

The original definition of the PA2 security was formalized in the random oracle 
model [BR94, BDPR98] and was highly dependent on this model, although the 
intuitive definition, mentioned above, does not depend on this model. Therefore, 
in the earlier study of the PA2, one of the main concerns was how to define the 
PA2 in the standard model. 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 226-240, 2006. 

© International Association for Cryptologic Research 2006 
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In Asiacrypt 2004, Bellare and Palacio [BP04] succeeded in defining the stan- 
dard model PA2. Their result is important, because we can analize encryption 
schemes from the new view point whether these are PA2 secure. Here we briefly 
review their definition. They define PA2 notion based on the indistinguishabilty 
of two worlds, “Dec world”, and “Ext world”. An adversary in the Dec world 
can access the decryption oracle and so on. In contrast, the adversary in the 
Ext world can access an extractor, which simulates the decryption oracle, and 
so on. The extractor has to simulate the decryption oracle by using only data 
“which the adversary knows”. They define the three types of the PA2, named 
perfect/statistical/computational PA2, depending on that the Dec world and the 
Ext world are perfectly /statistically /computationally indistinguishable for the 
adversary. 

They also succeeded in proving the fundamental theorem, which state that 
all of these plaintext awareness notions, together with IND-CPA security, imply 
the chosen ciphertext security. 

1.1 Our Contributions 

In this paper, we study the relationship between the standard model PA2 and the 
property about message hiding, that is, IND-CPA. At first glance, it seems that 
these two are independent notions. Indeed, it is well known that the random 
oracle model PA2 property does not imply the IND-CPA property and vise 
versa. 

We however show that all of the perfect, statistical, and computational PA2 
security in the standard model imply the IND-CPA security if the encryption 
function is oneway. Recall that the fundamental theorem that “(perfect, statis- 
tical, or computational) PA2 + IND-CPA => IND-CCA2” holds. Therefore, our 
result combining with the fundamental theorem shows the stronger variant of the 
fundamental theorem, “(perfect, statistical, or computational) PA2 + Oneway 
=> IND-CCA2”. This result shows the “all-or-nothing” aspect of the PA2. That 
is, the standard model PA2 secure public-key encryption scheme either satis- 
fies the strongest message hiding property, IND-CCA2, or does not satisfy even 
weakest message hiding property, onewayness. 

Our result has not only theoretical interest but also can be useful when one 
prove the IND-CCA2 securities of public-key encryption schemes. Recall that it 
is non trivial to show the IND-CPA securities of some schemes satisfying the ran- 
dom oracle PA2, such as schemes with OAEP+ [OPOl], 3-round OAEP [PP04], 
or Kobara-Imai [KI01] padding. However, in the case for schemes satisfying the 
standard model PA2, we are not required to prove the IND-CPA securities, since 
our result assures it. 

We also study the gap between the computational and statistical PA2 secu- 
rities. That is, we show that the computational PA2 security is strictly stronger 
than the statistical one. It is interesting to compare our result with Fujisaki’s 
result [F06] about the random oracle PA2. In his paper, he defined a plaintext 
simulatability (PS) notion, which was a “computational variant” of the ran- 
dom oracle PA2, and showed that plaintext simulatability notion was strictly 
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stronger than the random oracle PA2. Therefore, our result can be recognized 
as the standard model variant of Fujisaki’s result [F06]. By comparing his result 
with our result, we can say that statistical and computational standard model 
PA2 notions are related to the random oracle PA2 and the PS, respectively. 

We stress that, although our result and Fujisaki’s result themselves are similar, 
these are of different model with different proof. Indeed we cannot use his proof 
because it highly depends on the random oracle model. Our proof is simpler and 
more intuitive than his. 

1.2 Previous Works 

Before the random oracle PA2 was defined, a weaker variant of it, named the 
random oracle PA1 [BR94], had been defined. The first schemes satisfying the 
random oracle PA1 and PA2 were proposed in the paper of Bellare-Rogaway 
[BR94] and Fujisaki-Okamoto [F099] respectively. In these papers, the authors 
proposed conversions which transform a trapdoor oneway permutation and an 
IND-CPA secure public-key encryption scheme to PA1 and PA2 secure public- 
key encryption scheme respectively. These conversions are called the OAEP and 
the Fujisaki-Okamoto conversions respectively. 

Shoup [SOI] showed that the random oracle PA1 + IND-CPA does not imply 
the IND-CCA2 security, although previously it had been thought that it did. 
In his paper, he also gave a revised version of the OAEP conversion, named 
the OAEP+, which transforms a trapdoor oneway permutation to a PA2 secure 
public-key encryption scheme on the random oracle model. The OAEP and other 
conversions satisfying a similar property are also studied in [CHJPPT98, B01, 
FOPSOl, M01, OPOl, CJNP02, KI01, KO03]. 

As far as we know, the first attempt to define the plaintext awareness not in 
the random oracle model was made by Herzog, Liskov, and Micali [HLM03]. They 
defined the PA2 notion on the key registration model [HLM03] and constructed 
a public-key encryption scheme which satisfies their PA2. 

Bellare and Palacio [BP04] define not only the standard model PA2 but also 
the standard model PA1. They also showed that the Damgard [D91] and the 
lite Cramer-Shoup [CS01] public-key encryption schemes satisfy the standard 
model PA1 under the Diffie-Hellman Knowledge assumption [D91, BP04] and 
the DDH assumption. Later, Dent [D06] showed that the Cramer-Shoup public- 
key encryption scheme [CS98, CS01] satisfies the standard model PA2 security 
under the same assumption. 

1.3 Organization 

The paper is organized as follows: In Section 2, we review the definition of the 
standard model PA2. In Section 3, we show that the statistical PA2 is strictly 
stronger than the computational one. In Section 4, we show the main theorem, 
which states that “(perfect, statistical, or computational) PA2 + Oneway => 
IND-CPA”. Finally, in Section 5, we give the conclusion of our paper. 
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2 Definition of Standard Model PA2 

In this section, we review the definition of the standard model PA2 [BP04]. 
Before giving the formal definition of the standard model PA2, we give intuitive 
explanation about it. The definition of the standard model PA2 is based on 
the indistinguishability of two worlds, named Dec world and Ext world, and 
uses entities named adversary and extractor. In the Dec world, the adversary 
can access to the decryption oracle and the encryption oracle. In contrast, the 
adversary in the Ext world can access to the extractor and the encryption oracle. 
The extractor has to simulate the decryption oracle by using only data “which 
the adversary can see”, that is, the adversary’s description, its random tape, and 
the answers from the encryption oracle. 

It is a characteristic feature for the definition that it has a mechanism to hide 
the encryption query of the adversary from the extractor. In order to hide the 
encryption query, the entity, named plaintext creator, is also introduced. It is an 
entity which makes encryption queries as the adversary’s proxy. The adversary, 
in both Dec and Ext worlds, does not make encryption queries directly but 
sends an order to the plaintext creator, in order to make it send a query to the 
encryption oracle. 

The extractor is not allowed to watch the plaintext creator’s random tape, 
although it is allowed to watch the adversary’s one. Hence it cannot know what 
queries are made to the encryption oracle. We say that an encryption scheme 
satisfies the standard model PA2, if the Dec and Ext worlds are indistinguishable 
for the adversary from each other. 

We now define the standard model PA2 formally: 

Definition 1 (Standard Model PA2 [BP04]). Let 17 = (Gen, Enc, Dec) be 
a public-key encryption scheme. Let A, V, 1C be polytime machines, which are 
respectively called adversary, plaintext creator, and extractor. Let A( pk; R 
denotes the execution of an algorithm A on inputting pk with the random coin 
R_a. For a security parameter k e N, we define two experiments Exp/^/^f c (K) 
and Exp^V( K ), shown in Fig. 1. In these experiments, it is required that A 
makes no query (dec, C) for which C € CList. 

We say that the public-key encryption scheme 17 is perfectly /statistically /com- 
putationally standard model PA 2 secure if 

v A B K?V : Exp ^ A X p C (k) and Exp^^ p ( K ) are 
perfectly /statistically /computationally indistinguishable for k. 

Since we only discuss about the standard model PA2, we simply say that II 
is perfectly /statistically /computationally PA2 secure if it is perfectly/statistical- 
ly /computationally standard model PA2 secure. 


Theorem 2 (Fundamental Theorem for Standard Model PA2 [BP04]). 

Let II be an IND-CPA secure public-key encryption scheme. If 17 is (perfect, 
statistical, or computational) PA2 secure, then II is IND-CCA2 secure. 
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-Exp^»- 

Take coins Ra and Rv for A and V randomly. 

(pk, sk) <— Gen(l K ), CList <— e, Stp <— s. (Here Stp is the state of V). 
Run A(pk; Ra) until it halts, replying to its oracle queries as follows: 
If A makes query (enc, Q) 

(M, Stp) <- V(Q,St v ;Rv), C ^ Enc pk (M), CList <- CList||C. 
Send C to A as the reply. 

If A makes query (dec, Q) 

M <— DeCsk(Q). Send M to A as the reply. 

Return an output S of A. 

—ExP P i¥a E icA k )— 

Take coins Ra, Rv, and Rk. for A, V, and K. randomly. 

(pk, sk) <— Gen(l K ), CList <— e, Stp <— e, St/c <— (pk, Ra). 

(Here St-p and St/c are the states of V and K.). 

Run A(pk; Ra) until it halts, replying to its oracle queries as follows: 
If A makes query (enc, Q) 

(M, Stp) <- V(Q, Stp; Rv), Encp k (M), CList <- CList||C. 
Send C to A as the reply. 

If A makes query (dec, Q) 

(M, St/e) <— K.(Q, CList, St/c; Rk)- Send M to A as the reply. 
Return an output S of A. 


Fig. 1. Experiments used to define PA2 of [BP04] 


3 Statistical PA2 Is Stronger Than Computational PA2 

In this section, we show that the computational PA2 security is strictly stronger 
than the statistical one. That is, we give an example of a computational PA2 se- 
cure public-key encryption scheme II' = (Gen 7 , Enc 7 , Dec 7 ) which is not statistical 
PA2 secure. 

Let k be a security parameter. Let II = (Gen, Enc, Dec) be a public-key 
encryption scheme which is statistical PA2 secure and IND-CPA secure (and 
therefore IND-CCA2 secure). For instance, we can set II to the Cramer-Shoup 
scheme [CS01], if the Diffie-Hellman Knowledge assumption [D91, BP04] and the 
DDH assumption holds. We construct the desired public-key encryption scheme 
II' = (Gen 7 , Enc 7 , Dec 7 ) by modifying II. The key generation algorithm Gen^l*) 
first executes Gen(lA) and obtains a public key/secret key pair (pk, sk) as the 
output. After that, it selects a message Mo randomly and computes a ciphertext 
Co = EnCpk(Mo). Then it sets pk 7 = (pk, Co) and sk 7 = sk. Finally, it outputs 
the public key/secret key pair (pk^sk'). We also set EnCp k /(M) = Enc pk (M) and 
Dec' k /(C) = Dec sk (C). See Fig. 2 also for the description of II'. 

We first see that II' is not statistical PA2 secure. In order to see it, we con- 
struct an adversary A! 0 such that no extractor can extract a message from the 
ciphertext output by A! 0 - Our adversary A! 0 is the one who obtains Co from its 
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Gen'(l K ): 


(pk, sk) <— Gen(l K ) 


Select a message M 0 

randomly. 

C 0 <- EnCpk(Mo). 


pk' <— (pk, Co), sk' <- 

sk. 

Output (pk',sk'). 


En C p k /(M) = EnCp k (M), 

Dec' k / (C) = Dec sk (C). 

Ao(pk'): 


Parse pk' as (pk, Co) 

and output Co- 


Fig. 2. Descriptions of II' = (Gen', Enc', Dec') and A' 0 


input pk' = (pk, Co) and outputs Co- Recall that not A! 0 but the key generation 
algorithm Gen / generates Mo and Co- Therefore, A' 0 “does not know” the mes- 
sage Mo corresponding to Co- Since an extractor 1C is input only data which 
the adversary can see, K! “cannot know” M 0 = Dec' k / (Co) = Dec S k(Co) either. 
This means that II' is not statistical PA2 secure. 

However, we can show that II' is the computational PA2 secure. At first 
glance, it seems that II' cannot be computational PA2 secure either, because 
even an extractor Kf for the computational PA2 “cannot know” Mo = Dec' k /(Co) 
either. However, we actually do not require the extractor who “can know” such 
Mo- Recall that the extractor 1C is only required to simulate the decryption 
oracle in such a way that an adversary A! 0 cannot computationally distinguish 
the output of 1C' from that of decryption oracle. Therefore, )C does not need to 
output the plaintext Mo itself, but can output the plaintext M\ such that A' u 
cannot computationally distinguish the distribution of Mi from that of Mq. 

Recall that A! 0 “knows” neither the plaintext Mo nor the random number 
r which was used in the computation of Co = Enc p k(M 0 ; r). Recall also that 
II satisfies the IND-CCA2 security. Hence, A! 0 cannot distinguish a randomly 
selected message Mi from M 0 . Therefore, 1C' can output a randomly selected 
message Mi as the answer to the decryption query Co- 

Based on the above discussion, we can prove the following theorem. 

Theorem 3. Suppose that there exists at least one computational PA2 secure 
public-key encryption scheme. (For instance, if the Cramer-Shoup scheme [CS01] 
satisfies it under the DDH assumption and the Diffie- Heilman Knowledge as- 
sumption [D91, BP04]). Then there exists a computational PA2 secure public-key 
encryption which is not statistical PA2 secure. 

It is interesting to compare our result with Fujisaki’s result [F06] about the ran- 
dom oracle PA2. In his paper, he defined a plaintext simulatability (PS) notion, 
which was an “computational variant” of the random oracle PA2, and showed 
that plaintext simulatability notion was strictly stronger than the random ora- 
cle PA2. Therefore, our result can be recognized as the standard model variant 
of Fujisaki’s result [F06]. By comparing his result with our result, we can say 
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that statistical and computational standard model PA2 notions is related to the 
random oracle PA2 and the PS, respectively. 

4 PA2-04 Together with Onewayness Implies IND-CPA 

Our main result is the following: 

Theorem 4. Let II = (Gen, Enc, Dec) be a public-key encryption scheme, which 
satisfies the onewayness property. If II is perfectly, statistically, or computation- 
ally PA2 secure, then II is IND-CPA secure, (and therefore IND-CCA2 secure). 

This result shows the “all-or-nothing” aspect of the PA2. That is, the (per- 
fect, statistical, or computational) PA2 secure encryption scheme either satisfies 
the strongest message hiding property, IND-CCA2, or does not satisfy even the 
weakest message hiding property, onewayness. 

Before proving Theorem 4, we see that one cannot remove the onewayness 
assumption from Theorem 4: 

Theorem 5. There is a public-key encryption which is perfect PA2 secure but 
is neither oneway nor IND-CPA secure. 

Proof (Theorem 5, sketch). Let II = (Gen, Enc, Dec) be a public-key encryption 
scheme, such that an encryption Enc p k(M) of a message M is M itself. Then II 
is clearly not IND-CPA secure. Recall the definition of the statistical PA2. We 
say that II satisfies the statistical PA2 security if, for any adversary A, there 
exists an extractor 1C such that K. succeeds in extracting the plaintext M which 
corresponds to a ciphertext C output by A. Since 1C can know the message M 
directly from the ciphertext itself, II satisfies the perfect PA2. 

We first prove Theorem 4 for the special case where II is statistically PA2 secure. 
Theorem 4 for the perfect PA2 security is clearly followed from it. 

Proof (Theorem f for the statistical PA2, sketch). Let us make a contradictory 
supposition. That is, we suppose that there exists a statistically PA2 secure 
public-key encryption scheme II = (Gen, Enc, Dec) which is not IND-CPA secure. 
Then we show that 77 is not oneway. 

In order to show it, we construct an adversary Ao which satisfies the following 
tricky property: Ao can obtain a ciphertext Co such that (1) Ao “does not know” 
the plaintext Mo = Dec S k(Co) and (2) Co is not generated by the encryption 
oracle. For a moment, suppose that we succeed in constructing such Ao- Since 
Co is not generated by the encryption oracle, Ao can make the query Co to the 
decryption oracle. Then, from the definition of the plaintext awareness, there 
exists an extractor 1C which can extract the plaintext Mo from the query Co of 
Ao- (Here we exploit the supposition that 77 is statistically PA2 secure). This 
means that 1C succeeds in outputting the unknown plaintext Mo of a ciphertext 
Co- That is, K can invert the encryption function Enc. This contradicts to the 
assumption that 77 is oneway. 



Relationship Between Standard Model Plaintext Awareness 


233 


We next describe how to construct Ao- At first glance, it seems impossible 
to construct such Ao, since the definition of the plaintext awareness disable Aq 
generating a ciphertext Cq “without knowing” the corresponding plaintext Mq. 
The basic idea how Aq obtains such ciphertext Cq is similar to that used in 
Section 3. In Section 3, the adversary obtains such Cq from the key generation 
algorithm. In this proof, Ao obtains such Co from another entity, that is, a 
plaintext creator Vo . Then Ao “does not know” the message M 0 corresponding 
to Co, since not Aq itself but Vo generates Cq. (We stress that not the encryption 
oracle but Vo itself generates Cq. If the encryption oracle generates Cq, Ao cannot 
send Cq to the decryption oracle). 

In order to employ the technique mentioned above, Vo has to send Cq to Ao- 
However, there is no inherent communication channel which enables Vo to send 
Co directly to Ao- So, we construct a “virtual” communication channel from Vo 
to Ao. 

Here we exploit the assumption that the public-key encryption scheme 17 is 
not IND-CPA secure. Recall that the definition of the statistical PA2 security 
allows Vo to send plaintexts to the encryption oracle. Therefore, Vq can send to 
Ao a ciphertext c such that Vo generates the corresponding plaintext. Since II 
is not IND-CPA secure, the ciphertext c leaks information of the corresponding 
plaintext. This means that Vo can send to Ao some sort of information via the 
ciphertext c. That is, Vo can use the ciphertext as the virtual channel. 

We now describe more precisely how Vo “sends” Cq to Ao- Let pk 0 be a 
public key and sko be the unknown secret key corresponding to pk 0 . Since II 
is not IND-CPA secure, there exist an algorithm B, a state Stg of B, a pair 
of messages (mo, mi), and a non negligible and non negative valued function 
/r = /i(k) satisfying 

Pr(£(pk 0 ,77io,mi,EnCpk 0 (mi),Stg) = 1)— Pr(B(pk 0 , mo, mi, Enc p k 0 (mo), Stg) = 1) > /i. 

We set A' to [1/ /x] . Let b, be the i-th bit of the ciphertext Co = Enc p k 0 (Mo) such 
that Mo is unknown. In advance, Ao sends pk 0 ||mo||mi||A to Vo, via the com- 
munication channel which enables Ao to query. For each i, Vo sends a message 
rribi as a query to the encryption oracle N times. Then the encryption oracle 
sends qjp = Encpk 0 (mb 4 ), . . . , c$ = EnCpk^m&J to Ao as the answers. After re- 
ceiving {c^}, Ao executes B(pk 0 , mo, mi, c^\ Stg) and obtains an output u!p of 
B for each i and j. Then Ao sets b\ = 1 if the number of j satisfying up = 1 is 
more than the number of j satisfying = 0. Otherwise Ao sets b' i = 0. Since B 
has a non negligible advantage, the equality u'- ) = bi is satisfied with probability 
1/2 + (non negligible). Hence the equation b\ = bi is satisfied with overwhelming 
probability. That is, Ao succeeds in reconstructing the bit bi of the ciphertext 
Co for each i. Therefore, Ao can reconstruct the ciphertext Co = 6i|| • • • \ \b n . In 
this way, Ao succeeds in “receiving” Co from Vo . □ 

We now give the proof for the general case where II satisfies only the computa- 
tional PA2 security. 
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Proof (Theorem 4 for the computational PA2, sketch). As in the case of the 
proof of for statistical PA2, we suppose that there exists a computationally PA2 
secure public-key encryption scheme II which is not IND-CPA secure. Then we 
show that II is not oneway. 

We use similar algorithms to Ao and Vo of the proof for the statistical PA2. 
However, in the case of II is computational PA2, the extractor 1C may output a 
plaintext M' which is not equal to the plaintext M 0 = Dec S k 0 (Co), although the 
distribution of M' has to be computationally indistinguishable from that of M 0 . 
Therefore, in order to obtain Mo, we modify the description of Ao and Vo- 

We will first construct an adversary A\ by modifying Ao- Then, for some extrac- 
tor 1C, (k) is computationally indistinguishable from Exp^^j 3 ^/ (k) 

for any V . Then, by modifying Vo, we will construct a plaintext creator V\ such that 
Exp P n 2 j^%,Vi ( K ) i n f ac R statistically indistinguishable from Exp 1 ^^ 0 ^ (k) , al- 
though we cannot exploit V\ itself to obtain the secret plaintext Mo- We will finally 
construct a plaintext creator V 2 , by modifying Vi, such that V -2 can be exploited 
to obtain M 0 . 

We will now give a brief description of Ai and Vi by describing the experiment 
E X P 77 ^ i D Pi ('«)■ (We stress that we first choose At . next obtain 1C, and finally 
choose Vi, although we first describe about At and V\, and next describe 1C. 
One can easily check that we can take 1C which does not depend on V\). In the 
experiment Exp^^j^ (k), the experimenter first executes the key generation 
algorithm Gen(lA) and obtains a public key/secret key pair (pk, sk) as an output. 
Then he inputs pk to the adversary A\, the encryption oracle, and the decryption 
oracle. He also inputs sk to the decryption oracle. Then A\ executes S(pk) and 
obtains (too, toi, Stg) as an output. After that, A\ sends pk| |to-o| |to-i | | 7V to V\, 
via the communication channel which enables Ai to query. Here N = [1/ fy| . 

Then Vi generates a message Afy randomly, and computes a ciphertext C% = 
EnCpk(Mi). After that, At and Vi execute the same procedures as those of Ao 
and Vo except that they execute these procedures using not Co but C\. That is, 
Vi “sends” C\ to At via the “virtual” channel. After “receiving” C\ from Vi, At 
makes query C\ to the decryption oracle. Then the decryption oracle sends back 
a message M' to At as the answer to the query C\. (Note that the decryption 
oracle sends back a message M' = M\ = Dec S k(Ci), although an extractor 1C 
may send back a message M' other than Mi). 

After that, A\ sends M' to V\ via the communication channel which enables 
A\ to query. Vt checks whether Mi = M' or not. Then Vt sets S' = 1 if Mi = M', 
otherwise sets S = 0. After that, V\ “sends” S to At via the “virtual” channel. 
Finally, Ai outputs S. 

Then, for some extractor 1C, Exp P n^Mx,v'{ K ) computationally indistin- 
guishable from Exp^^p, (k) for any V . In particular, (n) is 

computationally indistinguishable from Exp^^J 3 ^ (*)■ 

We show that Exp^^^ Vl (n) is, in fact, statistically indistinguishable from 
Exp^J^p, (k). In the case where At and Vi are in the real experiment Exp^^J 3 ^ 
(k), the output S of At is always 1 . Recall that At cannot computationally distin- 
guish Exp ^( 4 ^ Vi (k) from Exp^^J 3 ^ (k). Therefore, even in the experiment 
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Pi (k), 5 = 1 is satisfied with overwhelming probability. Recall that 
5=1 holds if and only if M' = M. Hence, 1C succeeds in outputting the correct 
message M corresponding to C[ = Cl = Enc p k(M) with overwhelming prob- 
ability. This means that Exp * s statistically indistinguishable from 

ExPn^AM- 

We next construct a plaintext creator V 2 , by modifying V\. Let (pk 0 ,Co) 
be an instance of the onewayness game, and sko be the unknown secret key 
corresponding to pk 0 . Our goal is to compute Mo = Dec S k 0 (Co). The description 
of V 2 is equal to that of Pi, except that (1) V 2 takes Co as an input, (2) P 2 does 
not use a ciphertext Ci generated by V 2 itself but instead uses a part Co of the 
instance (pk 0 , Co) of the onewayness game, and (3) V 2 always sets 5=1. 

We consider a modified version of the experiment Exp jj^wc ( K ) , named 
Exp^^j)^*^ («, pk 0 , Co), in which the experimenter uses not the public key 
pk generated by Gen(l K ) but instead uses a part pk 0 of the instance (pk 0 ,Co) 
of the onewayness game. Recall that both Pi in Exp££^£ Pi (k) and V 2 in 
Exp P n^fjc -P 2 ( K , P k 0 , Co ) set 5 = 1 with overwhelming probability. Moreover, 
the distribution of (pk 0 , Co) is equal to that of (pk, C) selected randomly. Hence, 
the behavior of Pi in Exp 1 ^^ ^ (k) is statistically indistinguishable from that 
of P 2 in Exp ^C>>, pk 0 , Co). (Recall that 1C is not input the random coin 
of a plaintext creator. Therefore, 1C cannot distinguish the behavior of Pi from 
that of P 2 ). 

Therefore, the distribution of the output of Exp ^(4 f, / cp 2 ( k , pk 0 , Co) is sta- 
tistically indistinguishable from that of the output of Exp^^j^ Vi (k). Re- 
call that, in the experiment Exp^^j^ output M' of 1C is equal to 
Mi = Dec S k 0 (Ci) with overwhelming probability. Therefore, even in the experi- 
ment Exp p n %£ n ( k , pk 0 , Co), the output M' of 1C is equal to Mo = Dec s k 0 (Co) 
with overwhelming probability. This means that 1C succeeds in obtaining the 
unknown plaintext Mo = Dec S k 0 (Co) with overwhelming probability. □ 

We see that Theorem 4 does not hold in the case of the random oracle PA2. See 
Appendix A for the definition of the random oracle PA2. 1 

Proposition 6 Suppose that there exists a group Q on which the DDH problem 
is easy although the CDH problem is hard. (For instance, we can set Q to an 
elliptic curve group on which a bilinear pairing [BF01, MOV93, JN03, SOKOl] is 
defined). Then there exists a public-key encryption scheme II = (Gen, Enc, Dec) 
which satisfies the random oracle PA2 security and the onewayness but does not 
satisfy the IND-CPA security. 

Proof (sketch). The desired encryption scheme is the Fujisaki-Okamoto [F099] 
padded ElGamal encryption scheme such that a message and elements g and h of 

1 The definition of the random oracle PA2 differ subtly depending on papers. Our 
definitions are those of [BR94, FOPSOl]. fn some papers, such as [BDPR98, F06], 
the authors say that a public-key encryption scheme satisfies the random oracle PA2, 
if it satisfies both our definition and the IND-CPA security. 
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a public key ( g , h) are taken from the above Q. Similar to the case of the original 
Fujisaki-Okamoto padded ElGamal encryption scheme, we can prove that the 
encryption scheme satisfies the random oracle model PA2 security. Moreover, it 
satisfies onewayness since the CDH problem is hard on Q. However, it does not 
satisfy the IND-CPA security since the DDH problem on Q is easy. □ 

By applying the similar idea to the Damgard scheme [D91], one can also show 
that there exists a public-key encryption scheme which satisfies the standard 
model PA1 security [BP04] and the onewayness but does not satisfy the IND- 
CPA security. See Appendix A for the definition of the standard model PA1. 

5 Conclusion 

In this paper, we studied the relationship between the standard model PA2 and 
the property about message hiding, that is, IND-CPA. Although it seems that 
these two are independent notions at first glance, we showed that all of the per- 
fect, statistical, and computational PA2 in the standard model imply the IND- 
CPA security if the encryption function is oneway. This result combining with 
the fundamental theorem implies the stronger variant of the fundamental the- 
orem, “(perfect, statistical or computational) PA2 + Oneway => IND-CCA2”. 
It shows the “all-or-nothing” aspect of the PA2. That is, a (perfect, statisti- 
cal, or computational) PA2 secure public-key encryption scheme either satisfies 
the strongest message hiding property, IND-CCA2, or does not satisfy even the 
weakest message hiding property, onewayness. 

We also showed that the computational PA2 notion is strictly stronger than 
the statistical one. By comparing Fujisaki’s result [F06] with our result, we can 
say that statistical and computational standard model PA2 notions is related to 
the random oracle PA2 and the plaintext simulatability [F06], respectively. 
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A Definitions 

A.l Security Definitions of an Encryption Scheme 

Definition 7 (IND-CPA/CCA1/CCA2). Let 77=(Gen,Enc, Dec) be a public- 
key encryption scheme and n be a security parameter. For a public key/secret 
key pair (pk, sk) for 77, we let C>dec(sk, •) be the oracle (named decryption ora- 
cle) such that it returns Dec S k(C) to an adversary when the adversary sends a 
ciphertext C to it. Let b be a bit. We also let O enc (b. pk, •) be the oracle (named 
encryption oracle ) such that it returns Enc p k(M{,) to an adversary when the ad- 
versary sends a pair (Mo, Mi) of messages with the same length to it. We call 
EnCpk(Mb) the challenge ciphertext. 

For a bit b and a polytime adversary A, we set 

P ( ^ a (k) = Pr((pk, sk) <- Gen(l*),6' <- ^o enc (6, P k,.),o d ec(sk,.)( pk) . y = 
and Ad = |P^(«) - P^(«)|. 

Above, A can make a query to O enc (b, pk, •) only once. Moreover, A is not allowed 
to send the challenge ciphertext to Odecfsk, •). 

We say that II is IND-CPA secure if Adv^^fc) is negligible for any polytime 
adversary A such that A has made no query to C?dec(sk, •). We say that 77 is 
IND-CCA1 secure if Adv^^tt) is negligible for any polytime adversary A such 
that A has made no query to Odecfsk, •) after receiving the challenge ciphertext 
from O enc (b, pk, •). We also say that 77 is IND-CCA2 secure if Adv^^/t) is 
negligible for any polytime adversary A. 

Definition 8 (Onewayness). Let k be a security parameter, 77=(Gen,Enc,Dec) 
be a public-key encryption scheme, and M. p k be a message space of 77 in the 
case where the public key is pk. We say that 77 is oneway (against CPA attack) 
if for any polytime adversary T (named inverter), the probability 

Pr((pk, sk) <- Gen(l K ), M <- M pk , C <- Enc pk (M), M' •<- 2(pk, C) : M = M') 


is negligible for k. 
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Hash <— (Set of all hash functions), (pk, sk) <— Gen Hash (l K ). 

c <- ^ Hash,Enc P kash ( pk ). 

HList <— (The list of all pairs of hash queries of A and the corresponding answers), 
CList <— (The list of all answers of the oracle EnCp k ash ). 

M <— /C(pk, C, HList, CList). 

If M = Dec^ k ash (C'), return 1. Otherwise return 0. 


Fig. 3. Experiment used to define the random oracle PA2 


Plaintext Awareness defined in [BR94, BDPR98]. We review the defi- 
nitions of the PA1 and the PA2 in the random oracle model, defined in [BR94, 
BDPR98] . 

Definition 9 (Random Oracle PA2). Let II = (Gen, Enc, Dec) be a public- 
key encryption scheme which uses a hash function. For a hash function Hash, 
we let Gen Hash , Enc Hash , and Dec Hash denote the key generation, encryption, and 
decryption algorithms instantiated by the hash function Hash. Let A and 1C be 
polytime machines, which are respectively called adversary and extractor. For a 
security parameter k £ N, let (n) denote the experiment described in 

Fig. 3. 

In this experiment, C must not be an element of CList. We say the public-key 
encryption scheme II = (Gen, Enc, Dec) is random oracle PA2 secure , if there 
exists K such that, for any A, the success probability 

Succ^kV) = IMExp^V) = 1) 

is overwhelming for k. 

Definition 10 (Random Oracle PA1). We say that a public-key encryption 
scheme II = (Gen, Enc, Dec) satisfies the random oracle PA1, if there exists 
an extractor 1C such that, for any adversary A which makes no query to the 
encryption oracle, the success probability Succ^^ 1 ^? (k) is negligible for k. 

Theorem 11 (Fundamental Theorem for the random oracle PA [BR94, 
BDPR98]). Let II be an IND-CPA secure public-key encryption scheme in the 
random oracle model. If II satisfies the random oracle PA1 or PA2 security, 
then II is IND-CCA1 or IND-CCA2 secure respectively. 

Standard Model PA1. We next review the definition of the PA1 in the sense 
of [BP04]. We use two experiments for defining PA1. These experiments are 
almost the same as those for PA2, except that an adversary makes no query to 
the plaintext creator V. Since the experiments do not depend on V, we denote 
them by Exp^^ Dec («;) and Exp^jjg (/?) . 

Definition 12 (standard model PA1). We say that a public-key encryption 
scheme II = (Gen, Enc, Dec) is perfect/statistical/computational PA1 secure in 
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the sense of [BP04], or easily perfect/statistical/computational PA1 secure, if for 
each adversary A such that it makes no query to the plaintext creator, there 
exists 1C such that the two experiments Exp£^ Dec (K) and are 

perfectly /statistically /computationally indistinguishable. We simply say that II 
is PA1 secure in the sense of [BP04], (or PA1 secure) if II is computationally 
PA1 secure. 

Theorem 13 (Fundamental Theorem for Standard Model PA1 [BP04]). 

Let II be an IND-CPA secure public-key encryption scheme. If II is (perfect, sta- 
tistical, or computational) PA1 secure, then II is IND-CCA1 secure. 
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Abstract. To prove or disprove the computational equivalence of solv- 
ing the RSA problem and factoring integers is a longstanding open prob- 
lem in cryptography. This paper provides some evidence towards the 
validity of this equivalence. We show that any efficient generic ring al- 
gorithm which solves the (flexible) low-exponent RSA problem can be 
converted into an efficient factoring algorithm. Thus, the low-exponent 
RSA problem is intractable w.r.t. generic ring algorithms provided that 
factoring is hard. 

Keywords: Computational Equivalence, RSA Problem, Factorization 
Problem, Generic Algorithms. 

1 Introduction and Related Work 

The security of the well-known RSA encryption and signature scheme [1] relies on 
the hardness of the so-called RSA or root extraction problem: Let n = pq be the 
product of two large primes and let e be a positive integer s.t. gcd(e, <j>(ri)) = 1. 
Then given n, e and an element x £ Z n , the challenge is to find an element 
y e Z n s.t. y e = x. The RSA problem is closely related to the problem of 
factoring integers, i.e., in the case of an RSA modulus, finding p and q given n. 
While it is well-known that the RSA problem can be reduced to the factorization 
problem it is a longstanding open problem whether the converse is true, i.e., if 
an algorithm for finding e-th roots can be utilized in order to factor n efficiently. 

Theoretical results towards disproving resp. proving the existence of such a 
reduction from the factorization to the RSA problem have been provided by 
Boneh and Venkatesan [2] resp. Brown [3]. In both papers the low-exponent 
variant of the RSA problem (LE-RSA) is considered, where the public exponent 
e is restricted to be smaller than some fixed constant or a product of small factors. 
Moreover, the results given in these papers are limited to (slight extensions) 
of straight line programs (SLPs). These are non-probabilistic algorithms only 
allowed to perform a fixed sequence of addition, subtraction and multiplication 
steps on their inputs without branching or looping. Thus, the result of such a 
program can be represented by a fixed integer polynomial in its inputs. 

Boneh and Venkatesan [2] show that any straight line program that efficiently 
factors n given access to an oracle solving the LE-RSA problem can be converted 
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into a real polynomial-time factoring algorithm. This means, there exists no 
straight line reduction from factoring to LE-RSA, unless factoring is easy. The 
authors also show that this holds for algebraic reductions, which are straight line 
reductions extended by basic branching steps based on equality tests. 

Recently, Brown [3] shows that any straight line program solving the LE-RSA 
problem also reveals the factorization of the RSA modulus. In other words, the 
LE-RSA problem is intractable for SLPs provided that factoring is hard. More 
precisely, he proves that an efficient SLP for breaking LE-RSA can always be 
transformed into an efficient factoring algorithm. Moreover, Brown outlines (see 
Appendix F in [3]) how this result extends to a generalization of SLPs (called 
SLEEPs) which are additionally allowed to perform basic branching steps based 
on the equality of elements. 

At first sight, Brown’s result seems to be contradictory to [2], since an SLP 
for breaking LE-RSA aids in factoring the modulus. However, the factoring algo- 
rithms considered by Brown which make use of the LE-RSA SLP are no straight 
line programs and in addition the LE-RSA SLP is not simply used as a black-box 
as it is done in [2]. So both results do not contradict but are results in opposite 
directions. 

Another important theoretical result about the hardness of the RSA problem 
is due to Damgard and Koprowski [4]. They studied the problem of root extrac- 
tion in finite abelian groups of unknown order and prove that both the standard 
and the flexible RSA problem, where the parameter e is no fixed input but can 
be chosen freely, are intractable w.r.t. generic group algorithms. 

The concept of generic group algorithms has been introduced by Nechaev [5] 
and Shoup [6]. Loosely speaking, generic algorithms are probabilistic algorithms 
that given a group G as black box, may only perform a set of basic operations on 
the elements of G such as applying the group law, inversion of group elements 
and equality testing. Since the group is treated as black-box, the algorithms 
cannot exploit any special properties of the representation of group elements. 

It is important to note that the generic algorithms for solving the (flexible) 
RSA problem considered in [4] are restricted in the following respects: They 
can only exploit the group structure of the multiplicative group Z* and not 
the full ring structure of Z n which would be more natural in the case of the 
RSA problem. Moreover, the RSA modulus n is not given as input to them. 
Instead, the multiplicative group is chosen at random according to a publicly 
known probability distribution and the algorithms know that the group order 
lies in a certain interval. Damgard and Koprowski leave it as an open problem 
to consider the RSA problem in a more natural generic model not having the 
restrictions described above. 

1.1 Our Contribution 

In this paper we propose a solution to the open problem stated in [4] by consider- 
ing the hardness of the flexible LE-RSA problem w.r.t. to generic ring algorithms. 
We consider the following model of a generic ring algorithm: Let cr : Z n — > S n , 
where Sn C {0, l}i lo S 2 («)l and S n = n, denote a random encoding function for 
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Z„ which is a function randomly chosen from the set of bijective mappings from 
Z„ into the set of bit strings of sufficient length. A generic ring algorithm for the 
flexible RSA problem is a probabilistic algorithm which is given n, S n and the 
encodings u(0), cr(l) and <r(x) as input. These encodings are the initial content of 
the encoding list which contains all encodings a(x t ) of ring elements x, occurring 
during a computation. In a computation the algorithm can query a ring oracle , 
which given two indices i and j into this list computes o(xi ± x :/ ) or a(xiXj ) 
and appends this encoding to the list. After some queries the algorithm finally 
outputs a pair (e, a(y)) where e > 1 and gcd(e, <j>{n)) = 1. It succeeds iff y e = x. 

Note that given the factorization of n, computing e-th roots is possible using 
0(log(n)) oracle queries. So clearly it is not possible to prove that a generic ring 
algorithm given n needs exponential many oracle queries to solve the problem, 
since the algorithm might first factor n (without using the oracle) and then 
compute the e-th root using 0(log(n)) queries. Therefore any approach to prove 
something about the hardness of the problem in this model has to relate the 
RSA problem to the factorization problem. 

We show that any efficient generic ring algorithm which solves the flexible LE- 
RSA problem with non-negligible probability can be converted into an efficient 
factoring algorithm having non-negligible probability. The considered generic 
algorithms can thereby only choose e from the set of exponents having some small 
fixed constant factor. Thus, the LE-RSA problem is intractable w.r.t. generic ring 
algorithms unless factoring is easy. 

The paper at hand extends the results by Brown to a broader and more natural 
class of algorithms: First, the class of generic ring algorithms is clearly larger than 
the class of SLPs. Moreover, each SLEEP can be implemented as generic ring al- 
gorithm. However, it is not known if every generic ring algorithm can be realized 
as a SLEEP. We note that for part of our proof we use a Theorem given in [3]. 

2 Relating Flexible LE-RSA to Factoring 

2.1 Generic Ring Algorithms 

We formalize the notion of a generic algorithm for the ring Z n based on Shoup’s 
generic group model [6]. To this end, the group oracle just needs to be extended 
by a multiplication operation in order to make the full ring structure of Z„ 
available. However, the ring oracle O we present slightly differs from such an 
extended group oracle in the following sense: Instead of using the ring Z n for 
the internal representation of ring elements, these elements are represented by 
polynomials in the variable X over Z n which are evaluated with x each time 
the encoding of a newly computed element must be determined. It is easy to 
see that both versions of a generic ring oracle are actually equivalent. However, 
we believe that the presented version is a better starting point for doing and 
understanding proofs in the generic model. 

The generic oracle O is defined as follows: 

Input: As input O receives x £u Z n , the modulus n and a list {ci, .... ay,,} of 
n pairwise distinct bit strings randomly chosen from S n . 
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Internal State: As internal state O maintains two lists L and E which always 
have the same length. For an index j £ {1, . . . , \L\} let Lj denote the j-th ele- 
ment of L and E 3 the j-the element of E. In the list L. polynomials Lj £ Z n [X] 
are stored which represent computed ring elements Lj(x). The list E contains 
the encodings Ej of the corresponding ring elements L j (x) . Moreover, O main- 
tains a counter c which counts the number of different elements contained in E 
and the encoding function a : Z n — > S n which will be gradually defined during 
computation by the assignments between computed ring elements and the bit 
strings eri ... ,<r n . 

Encoding elements: Each time a polynomial P is appended to the list L 
(during the initialization or query-handling phase described below) it is checked 
whether the corresponding element P(x ) has already been computed. More pre- 
cisely, O checks if there exists any j £ (1 , L | } s.t. 

( P — Lj)(x) = 0 mod n . 

If this is not the case, O increases the counter c and appends the random bit 
string a c £ S n \E to E which is different from all encodings so far contained 
in E. Additionally, the partially defined encoding function is updated with the 
new assignment, i.e., a := a U (P(x) a c }. If the equation holds for any j the 
bit string Ej is again appended to E. 

A run of O consists of three phases: 

Initialization: In this phase all lists are first set to the empty list, c is set to 
zero and the encoding function a is set to be undefined for all x £ Z n . After 
that, L is appended with the polynomials 0, 1 and X, E is appended with the 
respective encodings and a and c are updated accordingly. 

Query-handling: In the query-handling phase O handles at most m queries. A 
query is a triple (°, ji, J 2 ) where o e {+, •} identifies an operation and ji, j '2 

are indices identifying the list elements the operation should be applied to. A 
query ( 0 ,^ 1 , jnj) is handled by computing the polynomial P := L n o L n . append- 
ing P to L and the respective encoding to E and updating a and c accordingly. 
Finalization: After an algorithm A has made at most m queries to O , it sig- 
nals O to finalize the computation before it eventually does its final output. 
Upon receiving this signal, O updates the encoding function a by assigning (in 
some fixed order) the n — c ring elements x £ Z n \ {P(x)\P £ L} which have not 
already occurred during computation to the random bit strings a c+ i,...,a n . 
After that, O signals A to output its solution ( e,out ), where out £ S n . e > 1 
and gcd(e, <p(ri)) = 1. We define the following success event 

<S: A outputs an encoding out = cr(y) and an integer e such that 
y e = x mod n. 


2.2 Main Theorem 

Our result lower bounding the hardness of flexible RSA in terms of the hardness 
of factoring integers can be stated as follows: 
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Theorem 1. Let O be a generic ring oracle for the ring Z„ of order n = pq 
as defined above. Let A be a generic algorithm that makes at most m oracle 
queries to O and let ( e,a(y )) <— A°(n, S n , cr(0), cr(l) , a(x)), where e > 1 and 
gcd(e, 4>{n)) = 1, be its final output. Then the probability that y is an e-th root 
of x is upper bounded by 


Pr [y e = x] < (40(e') + 2) 7 + 


where e! is the smallest factor of e and 7 is a lower bound on the probability 
thatn can be factored using A and 0((<f>(e') 2 + log(n))m 2 ) additional operations 
in Z„. 


Note that the above theorem gives an upper bound on the probability that A 
finds an e-th root which depends on the particular exponent e chosen by A. More 
precisely, it is dependent on the size of the factors of e. This in particular means 
that we do not obtain a useful lower bound for exponents e consisting of “large” 
factors only. “Large” in this context means that the factors cannot be bounded 
by a polynomial in the security parameter log(n). However, if we restrict the 
class of allowed exponents A can choose from to “low exponents”, i.e., exponents 
having at least one factor which is smaller than some fixed constant C, we always 
obtain a useful bound. 

Corollary 1 (Hardness of Flexible LE-RSA). Let O be a generic ring or- 
acle for the ring Z n of order n = pq as defined above and let C be an arbitrary 
constant. Let A be a generic algorithm that makes at most m oracle queries to O 
and let ( e,a(y )) <— A° (n, S n ,C,a(0),a(l),a(x)) be its final output, where e > 1 
has a factor smaller than C and gcd(e, <p(n)) = 1. Then the probability that y is 
an e-th root of x is upper bounded by 

Pr [y e = x] < (4C+2) 7 + rc_^_ 3 , 

where 7 is a lower bound on the probability that n can be factored using A and 
0((C 2 + log (n))m 2 ) additional operations in Z n . 

Let us assume that the number of queries m is polynomial bounded. Then observe 
that the probability 7 is negligible if factoring is assumed to be hard since 7 is 
a lower bound on the probability of factoring n using a polynomial bounded 
number of operations in Z„. Thus, in this case also the upper bound on the 
probability Pr[y e = x] given in the corollary is negligible because to and C are 
polynomial bounded and 7 is negligible. Hence, if factoring is hard Corollary 1 
implies that the standard and the flexible LE-RSA problem are intractable w.r.t. 
generic ring algorithms. On the other hand, if for some special n root extraction is 
easy for generic algorithms, which might be possible, we know from our corollary 
that n can easily be factored. 

Remark 1. In [4] special care has to be taken of the distribution of the group 
orders. More precisely, the order of the multiplicative group has to be randomly 
chosen according to certain so-called “hard” distributions in order to derive the 
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desired exponential lower bounds on the running time of generic group algo- 
rithms. This was an extension of Shoup’s original model for the purpose of 
handling groups of hidden order. From this perspective things are easier in our 
model. As the order n of the additive group of the ring is given we do not have 
to worry about any special properties of the distribution according to which the 
order of the multiplicative group is chosen. 

3 Proof of the Main Theorem 

3.1 Outline 

As usually done in proofs within the scope of the generic (group) model, we 
replace the original oracle O with an oracle O s i m that simulates O without us- 
ing the knowledge of the secret x. Then we show that the behavior of O svm is 
perfectly indistinguishable from O unless a certain simulation failure T occurs. 
From this, it immediately follows that the success probability of A when inter- 
acting with O is upper bounded by the sum of failure probability and the success 
probability of A when interacting with O s i m . We upper bound these probabilities 
in terms of the probability 7 from Theorem 1 and the number of oracle queries. 

Remark 2. The main difficulty in proving Theorem 1 is to bound the probability 
of a simulation failure T. Usually, O s i rn is defined in a way that a simulation 
failure occurs iff two distinct polynomials L t , Lj e L become equal under evalu- 
ation with x and one can determine a useful (i.e., negligible) upper bound on the 
probability of T in terms of the maximal degree of such a difference polynomial 
Li — Lj. However, here we face the problem that by using repeated squaring, 
A can generate polynomials in L with exponential high degrees. Thus, we can- 
not derive non-trivial bounds anymore using this well-known technique. Note 
that this difficulty is inherent to the ring structure and does usually not occur 
when we consider cryptographic problems over generic groups. We solve it by 
simulating O in a new way and relating the probability of T to the probability 7. 


3.2 The Simulation Game 

The simulation oracle O s i m is defined exactly like O except that it determines 
the encoding of elements differently in order to be independent of the secret x. 
To this end, each time a polynomial P is appended to the end of list L (during 
initialization or query-handling), O s i m does the following: Let L t = P denote the 
last entry of the updated list. Then for each j < i the oracle chooses a random 
element x^ €u and checks whether 

(Li — L j ){xf > ) = 0 mod n . 

If this equation holds for some j 1, . . . ,jk the encoding Ej, where j = min (A , . . . , 
jfc), is appended as the encoding of the newly computed element to the list E . 1 

1 Note that it is not important how j is determined from {j 1, . . . ,jk}- j can be chosen 
from this set in an arbitrary way. 
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If no j exists s.t. the equation holds, counter c is increased and the random bit 
string cr c £ S n \ E which is different from all encodings already contained in E 
is appended to E. Moreover, a is updated by the assignment P(x) i— > <j c . 

Note that due to the modifications to the computation of encodings, it is 
now possible that both an element P(x) is assigned to two or more different 
encodings and more than one element is assigned to the same encoding. Thus, 
the number n := n — c of unused encodings remaining after the query-handling 
phase may be greater or smaller than the number r^—n— \ {P(x)\P £ L}\ of 
elements not occurring during computation. In the finalization phase O s i m there- 
fore assigns only min(n, 7 - 2 ) elements from Z n \ {P(x)\P £ L} to the encodings 
cr c+ i, . . . , <T c+m in( ri ,r ? ) (but using the same order as O). 

Let us consider the following events which can occur in an interaction with 
the simulation oracle: 

P: There exists i> j £ { 1, . . . , \L\} such that 

(Li — Lj)(x) = 0 mod n and (X, — Lj)(x ^ 0 mod n 

(Li — Lj)(x ) ^ 0 mod n and (Li — Lj)(xf^) = 0 mod n . 

S sim : A outputs (e, out) such that out is the encoding of an unique element 
y and y e = x. 

The event S s i m is the success event in a simulation game. The event P is called 
simulation failure. It is important to observe that the original game and the 
simulation game proceed identically unless P occurs: Assume that O and O s i m 
receive the same arbitrary but fixed input. Then issuing the same sequence of 
queries to O and O s i m results in the same sequence of encodings contained in 
E , the same sequence of polynomials contained in L and the same bijective 
encoding function a, provided that P does not happen. Furthermore, consider 
an algorithm A with an arbitrary but fixed input on its random tape. Since 
A is deterministic, it issues the same sequence of queries in both interactions 
if it receives the same sequence of encodings from O and O slrn . So assuming 
that P does not happen, A outputs the same exponent and encoding in both 
interactions and wins the simulation game if and only if it wins the original 
game. Thus, we have the following relation between the considered events 

S A —>P S sim A <P . 

Using this relation we immediately obtain the desired upper bound on the success 
probability Pr[«S] in the original game in terms of the failure probability Pr[jF] 
and the probability Pr[<S s j m A ->P\ that no failure occurs and the algorithm 
succeeds in the simulation game. 

Pr[S] = Pr[<S A ~^P] + Pr[<S A P\ 

= Pr[<S siro A -iP) + Pr[<S A P] 

< Pr[<S sim A -if) + Pr[JF] 

In the following we relate these probabilities to the probability 7 . 
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3.3 Simulation Failure Probability 

For arbitrary but fixed indices i> je{l,...,m + 3}we consider the difference 
polynomial A := Li — Lj. Let 

N(A) := {a e Z„ | A(a) = 0 mod n } 

denote the set of zeros of this polynomial. Using the Chinese Remainder Theo- 
rem we can split N(A) into two sets 

N(A) 6 S N p (A ) x N q (A), where 

N P (A) = {aG Z p | A(a) = 0 mod p} and N q (A) = {a € Z q \ A(a ) = 0 mod qj . 
Let the value \N p (A)\/p be denoted by pa and N q (A)\/q by va- The probability 
that a randomly chosen element a Gu Z n is a zero of the polynomial A can then 
be written as 

Pr[Z\(a) = 0 mod n; a Gu Z n ] = vaPa ■ 

Thus, the probability Pr[.F^i] that for a fixed polynomial A a simulation failure 
occurs is given by 

Pr [Fa] = Pr[zA(a;) = 0 mod n; * G v Z n ](l - Pr[A(xf) s 0 mod n; ^ Z n ]) 
+ Pr[Z\(a;^) = 0 mod rt; :rj ! ^ Z n ](l - Pr[Z\(a;) = 0 mod n; x Gu Z n ]) 
= 2zz /ij u / i(l - z'aMa) • 

Now, we relate the failure probability PrfJ 7 ^] with the probability 7 from The- 
orem 1. First observe that if we can find an element 

a G ((Z p \ N p (A )) x N q (A)) U ( N P (A ) x (Z, \ N q (A ))) , 

the polynomial A gives us the factorization of n by computing gcd(Zl(a),n). 
Thus, the probability 7 4 that the factorization can be revealed in this way by 
choosing a random a Gu Z n is given by 

1 a = Pa( 1 - va) + (1 - Ha)va = Pa + va- 2 pava ■ 

The crucial observation is the following lemma. 

Lemma 1. For any polynomial A £ Z n [X] it holds that Vt[Fa] < 27 a- 
Proof. We can see that 27 a — Pr[JP/\] > 0 by considering the following function: 
/:lxl^l 

f(p, v) = (pvf - 3/ii/ 4 p + v 

In order to prove the lemma, we have to show that this function does not reach 
any negative values in [0,1]. The only critical point in the set [0, 1] x [0, 1] and 
therefor the only possible extremum is 


(ho, ^0) = 


•y/3 — 1 V3 - 1 
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and we have f(no, pq) > 0. Furthermore for the boundaries of the set [0,1] x [0, 1] 
we get 

f(o,p) = p> 0, 

/(/x,0) = /x>0, 
f(l,p) = (p-l) 2 >0, 

/( M , 1) = (ju- l) 2 > 0. 

Thus it follows that for all (/x, v) e [0, 1] x [0, 1] we have /(/x, v) > 0. □ 

Now, given A consider an algorithm that evaluates all possible difference poly- 
nomials A with a randomly chosen element a £u and computes for each 
integer A(a) the value gcd(Z\(a), n). The probability that n can be factored in 
this way is given by 

£ ^ a ■ 

The evaluation of all polynomials A can be done using a total of 0(m 2 ) opera- 
tions. Computing all greatest common divisors requires 0(log(n)m 2 ) operations 
using the Euclidean algorithm. So the probability of this factoring algorithm can 
be upper bounded by 7 (cf. Theorem 1). 

Using Lemma 1 we obtain the following bound on the probability of a simu- 
lation failure 

Pr[^] < £ Pr[^] 

< £ 2 7 a 

l<,j<i<\L\-.A~L i -L j 

< 27. 

3.4 Success Probability in the Simulation Game 

Let us split up the success event S s i m in two sub-events: We say that the generic 
algorithm wins if either it outputs a new encoding out £ E corresponding to an 
unique element y which is an e-th root of x or if a polynomial in the list yields 
an e-th root when evaluated with the element x. We denote these events by 
Sl im : A outputs ( e,out ) s.t. out g E. out is the encoding of an unique 
element y and y e = x. 

S 2 im : There exists a polynomial P € L s.t. P{x) e = x. 

Note that S 2 im is more than actually needed: Here we do not require that A 
actually outputs an encoding corresponding to P(x), the existence of such a 
polynomial P in L is sufficient. We therefore have 

S sim => S] m V S 2 sim 


and thus 


Pr[<S s j m A < Pr[<Sg im A -uF] + Pr[5 2 im ] . 
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Probability of Event S* im A Assume that the event T has not happened 

during computation and A outputs a pair (e, out ) s.t. out £ E. Since no simula- 
tion failure has occurred, o is a bijective mapping and in particular the encodings 
<7 C+ 1 , ,a n not used in the query-handling phase are uniquely associated with 
the n — c elements in Z n \ \P(x)\P e L}. So the encoding out corresponds to a 
randomly chosen element y e Z n \ {P{x)\P e L}. Thus, we have 

Pr[5i im A -<F] < Pr[«Sgj TO | -nE A out # E] < n _^ + ^ ■ 


Probability of Event S^ im . Here we use the following Lemma which corre- 
sponds to (a slight extension of) Theorem 6 in [3]. 

Lemma 2. Let n = pq, p,q prime and e € N with gcd (e,<j>(ri)) = 1. Let a 
polynomial P € Z n [X\ be given that can be evaluated for any element x 6 Z n 
using at most m additions and multiplications in Z n . For random x Z n let 
the probability Pr[P(a;) e = x] be denoted by £p. Then using this polynomial n 
can be factored with probability 


7 p > 


(e'-l)(N- 1) 
(p(e')e'N P 


with at most 0(3(j>(e , ) 2 rn) operations in Z n , where e' is the smallest factor of e 
and N is the base of the natural logarithm. 

The main idea behind this result is to evaluate P over an appropriate extension 
of Z n , where the mapping xt—>x e is not a bijection anymore. Then one can use 
the well-known techniques to factor n given two different e'-th roots of the same 
element. 

We now apply this result in our setting. First, observe that clearly all polyno- 
mials P e L can be evaluated using at most m operations in Z n . Thus, we can 
apply Lemma 2 to each P, i.e., we consider an algorithm that applies the pro- 
cedure outlined in the proof of Theorem 6 in [3] to every polynomial in L. The 
running time of this algorithm is 0{cj>(e l )' 2 rri 2 ) . The probability that n can be 
factored this way is given by Y^peL Tp and by the definition of 7 (cf. Theorem 1) 
it follows that 

^ 7 p < 7 . 

Pen 

Furthermore, it is easy to see that 


£p < 


(f>(e')e'N 
(e' -1)(N - 1) 


■7 p < 4</>(e')7 p . 


So we can conclude that the probability of the event S 2 lrn is bounded by 


PrfSiLj < 

Pen 

< ^ 4</>(e')7 p < 4<^(e')7 . 
Pen 
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3.5 Putting Things Together 

Using the bounds on the probabilities in the simulation game we can bound the 
success probability in the original game. For a generic algorithm A which makes 
m queries to O and outputs a pair (e, a(y)) consider an algorithm which 

- chooses an element a €u Z„, 

- computes gcd((Tj — Lj)(a),n ) for each i > j e {1, . . . , m + 3} and 

- applies the procedure given in the proof of Theorem 6 in [3] to each L t . 

The running time of this algorithm is 0((</>(e') 2 + log(n))m 2 ) and by definition 
of 7 its probability to factor n is less than 7. 

Hence, the probability that y is an e-th root of the randomly chosen element 
x is bounded by 


Pr [y e = x]< Pr[<S sim A + Pr[JF] 

< Pr[Sh m A + Pr[5 2 J + Pr[^] 

< + 40 (e ')7 + 27 

n — m — 3 

= (4^>(e / ) + 2) 7 + n _] n _ 2) • 

This completes the proof of Theorem 1 and Corollary 1. 

Acknowledgments. We would like to thank Ivan Damgard, Daniel Brown as 

well as the anonymous reviewers for their valuable comments. 

References 

1. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures 
and public-key cryptosystems. Commun. ACM 21(2) (1978) 120-126 

2. Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. 
In: Advances in Cryptology: Proceedings of EUROCRYPT 1998. Volume 1403 of 
Lecture Notes in Computer Science., Springer- Verlag (1998) 59-71 

3. Brown, D.R.L.: Breaking RSA may be as difficult as factoring. Cryptology ePrint 
Archive, Report 2005/380 (2006) http://eprint.iacr.org/. 

4. Damgard, I., Koprowski, M.: Generic lower bounds for root extraction and signa- 
ture schemes in general groups. In: Advances in Cryptology: Proceedings of EURO- 
CRYPT 2002. Volume 2332 of Lecture Notes in Computer Science., Springer- Verlag 
(2002) 256-271 

5. Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. 
Mathematical Notes 55(2) (1994) 165-172 

6. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Advances 
in Cryptology: Proceedings of EUROCRYPT 1997. Volume 1233 of Lecture Notes 
in Computer Science., Springer- Verlag (1997) 256-266 



Trading One-Wayness Against 
Chosen-Ciphertext Security in Factoring-Based 
Encryption 


Pascal Paillier 1 and Jorge L. Villar 2 

1 Cryptography Group, Security Labs, Gemalto 
pascal . paillierOgemalto . com 

2 Departament de Matematica Aplicada, Universitat Politecnica de Catalunya 
j villar@ma4 . upc . edu 


Abstract. We revisit a long-lived folklore impossibility result for fac- 
toring-based encryption and properly establish that reaching maximally 
secure one-wayness (i.e. equivalent to factoring) and resisting chosen- 
ciphertext attacks (CCA) are incompatible goals for single-key cryp- 
tosystems. We pinpoint two tradeoffs between security notions in the 
standard model that have always remained unnoticed in the Random 
Oracle (RO) model. These imply that simple RO-model schemes such 
as Rabin/RW-SAEP[+]/OAEP[+][-|-], EPOC-2, etc. admit no instantia- 
tion in the standard model which CCA security is equivalent to factoring 
via a key-preserving reduction. We extend this impossibility to arbitrary 
reductions assuming non-malleable key generation, a property capturing 
the intuition that factoring a modulus n should not be any easier when 
given a factoring oracle for moduli n' ^ n. The only known countermea- 
sures against our impossibility results, besides malleable key generation, 
are the inclusion of an additional random string in the public key, or en- 
cryption twinning as in Naor-Yung or Dolev-Dwork-Naor constructions. 

1 Introduction 

The Paradox. When a proof is given that some cryptosystem is semantically 
secure under chosen ciphertext attack (IND-CCA) under some complexity as- 
sumption, one generally checks whether one-wayness can be guaranteed under 
a weaker assumption. In the case of simple cryptosystems based on factoring 
large integers however, an inevitable tradeoff seems to exist between one-wayness 
and chosen ciphertext security. This incompatibility, which was observed for 
factoring-based signature schemes as well [20,22,13], is folklore knowledge and 
dates back to the late eighties. Despite early reasonings and attempts (later 
shown to be wrong) by a number of authors to formally prove it, this so-called 
“paradox” [13, Section 4] has remained essentially unexplored in a formal manner 
and, surprisingly enough, overlooked by contributors. 

It is well known that the one-wayness of Rabin encryption and variants thereof 
[22,4,8,5] is equivalent to factoring (FACT), meaning that any efficient algorithm 
inverting encryption provides an efficient way to factor the modulus. It turns 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 252-266, 2006. 
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out that the same algorithm can be used to totally break the cryptosystem (i.e. 
factor the modulus) under a trivial chosen ciphertext attack. This kind of at- 
tack has never been reported for RSA. But the one-wayness of RSA has not 
been shown to be equivalent to FACT. In fact, there is a separation result by 
Boneh and Venkatesan [6] which roughly tells that if a reduction from FACT to 
low-exponent RSA existed, then an efficient factoring algorithm could be con- 
structed. Simultaneously, RSA-based cryptosystems such as OAEP [3] seem to 
resist chosen-ciphertext attacks convincingly well in practice. This provides the 
intuition that some sort of incompatibility must exist between achieving one- 
wayness under the weakest possible assumption (factoring) and achieving chosen 
ciphertext security at all. 

In an early attempt to capture this intuition, Williams [22] makes the follow- 
ing (over) statement 1 : if the one-wayness of a factoring-based cryptosystem £ is 
equivalent to factoring then £ can be totally broken under chosen-ciphertext at- 
tack. A simple proof for this claim was later shown to be incorrect by Goldwasser, 
Micali and Rivest [13], and the first public-key encryption scheme fully IND-CCA- 
secure under the factoring assumption was then discovered by Dolev, Dwork and 
Naor a few years later [10]. However, the incompatibility seems to persist for 
factoring-based encryption for which the public key consists of a single modulus. 

Our Contributions. Our goal in this paper is to revisit [20,22,13] completely 
and clarify the conditions for such security incompatibilities to exist. We find 
that when properly formulated, certain security reductions for one-wayness and 
chosen-ciphertext security are indeed incompatible when considering single-key 
factoring-based encryption i.e. where the public key is just made of one hard- 
to-factor modulus. We reformulate the paradox observed by Williams in terms 
of key-preserving black-box reductions i.e. reductions which always call the ad- 
versarial oracle with the public-key they were given as input. We strengthen the 
original observation to show that if one can provide a key-preserving reduction 
from factoring to the (chosen-plaintext) semantic security of £, then £ cannot 
fulfil plaintext-checking security. Plaintext-checking attacks, introduced in [18], 
assume that the attacker is given oracle access to a distinguishing oracle that tells 
whether a given ciphertext encrypts a given plaintext. It follows from combining 
these results that a wide class of factoring-based cryptosystems admit no key- 
preserving black-box reduction from factoring to breaking the security notions 
IND-CCA, OW-CCA and IND-PCA in the standard model. This provides black- 
box separations with well-known security proofs standing in the RO model [2] 
such as the one of Rabin-SAEP [5]. We provide later an explanation as to why 
these incompatibilities are avoided in the case of Naor- Yung [17] and Dolev- 
Dwork-Naor [10] constructions where public keys are composed of two or more 
independent moduli, as well as in the RO model. 

Finally, we define the notion of non-malleable key generators, which formally 
captures the property that the factorizations of two public moduli n,n' where 
n ^ n' are somehow “computationally independent” from one another. Similar 

1 The paradox appearing in [20,22,13] is discussed in the context of factoring-based 

signatures. This is a straightforward reformulation for factoring-based encryption. 
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notions of non-malleability for discrete logarithms recently appeared in [14,16]. 
Using non-malleability, we extend the scope of the previous impossibility re- 
sults to arbitrary black-box reductions. Our refined results state that simple and 
innocuous-looking RO-secure factoring-based encryption schemes (e.g. Rabin- 
SAEP), when combined with non-malleable key generation, black-box separate 
the RO model from the standard model in a very strong sense: IND-CCA security 
is equivalent to FACT in the RO model while no instantiation of these schemes 
preserves such equivalence in the standard model. 

We note that all impossibility results stated in this paper are easily transposed 
(mutatis mutandis) to factoring-based signature schemes. We do not treat the 
case of signatures here due to lack of space. 

Roadmap. The paper is structured as follows. Section 2 gives preliminary facts 
about black-box reductions, single- key factoring-based encryption schemes and 
related security notions. Section 3 formally establishes the tradeoff between one- 
wayness and chosen ciphertext security. We also put forward a second tradeoff 
between semantic security against passive adversaries and plaintext-checking 
security. In Section 4, we give a formal definition of non-malleable instance gen- 
erators and provide extended impossibility results. Section 5 discusses possible 
countermeasures such as encryption twinning to overcome these tradeoffs. We 
finally conclude on directions for further research in Section 6. 

2 Preliminaries 

Instance Generators. We define FACT as the problem of computing the list of 
all prime factors factors(n) = (pi, . . . ,p t ) of a randomly chosen positive integer 
n. In cryptographic applications, one generally focuses on a specifically chosen 
distribution of hard instances by defining an instance generator Gen. Given a 
security parameter k, Gen(l fe ) generates a hard-to-factor modulus n, as well as 
the side information factors(n). A probabilistic algorithm A is said to (e, r)-break 
FACT [Gen] when 

Pr [(n, factors(n)) <— Gen(l fc ) : A{n) = factors(n)] > e , 

where the probability is taken over the random coins of A and Gen and A halts 
after r steps. FACT [Gen] is commonly referred to as the “factoring problem” 
when Gen is specified implicitly. For readability reasons, we may equivalently 
write (n, factors(n)) <— Gen(l fc ) or n <— Gen(l fc ) to state that n is drawn accord- 
ing to the distribution induced by Gen(l fe ). We note VICk the range of n i.e. 
the set of integers n such that Pr [n <— Gen(l fe )] > 0 and SICk = factors {VICk). 
Finally VIC = UkVICk and SIC = UkSICk- Here are some instance generators 
commonly used in factoring-based encryption: 

Rabin-Williams. Given l fe , select uniformly at random two [fc/2]-bit primes p 
and q such that p = 3 mod 8 and q = 7 mod 8. Set n = pq and output 
( n,(p , ?))• 
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OU. Given l fc , randomly select two [fc/3]-bit primes p and q. Set n = p 2 q and 
output (n,(p,q)). 

RSA-e. Given a small integer e and l fe , randomly select two [fc/2]-bit primes p 
and q such that gcd(p - 1 . e) = gcd (q — l,e) = 1. Set n = pq and output 
(n,(p,q)). 

Sophie-Germain. Given l k , randomly select two (\k/2] — l)-bit primes p' and q' 
such that p = 2p' + 1 and q = 2q' + 1 are also primes. Set n = pq and output 
( n,(p , ?))• 

Single-Key Factoring-Based Encryption. A single-key factoring-based encryp- 
tion scheme £ with security parameter k can be described as the combination of 
an instance generator Gen with a family of trapdoor functions on Gen, namely a 
pair (Enc, Dec) such that for any n £ VIC , Enc(n, •,•) and Dec(factors(n), •) are 
integer-valued functions 

Enc(n, •, ■) : M„ x R n — > C„ , Dec(factors(n), •) : C„ — > M„ 

where M„, R n and C n denote respectively the plaintext, random and ciphertext 
spaces 2 . We impose that for any n £ VIC , me M n and r £ R n , Dec(factors(n), 
Enc (n, to, r)) = to. When Enc(n, M n ,R n ) C C n , some elements of C„ are not 
proper ciphertexts. When c ^ Enc(n, M n , R n ), Dec(factors(n) , c) returns a fail- 
ure symbol _L € M n . We impose that Enc(n, •,•) and Dec(n, -,-) be efficiently 
computable for any arguments i.e. can be evaluated in time at most poly (k) for 
n £ VICk ■ We identify £ = (Gen, Enc, Dec) to the three following probabilistic 
procedures: 

£. keygen: Run Gen(l fe ) to get (n, factors(n)). The secret key is factors(n) while 
the public key is n. 

£ .encrypt: Given a public key n and a message m £ M rt , select r <— R„ uniformly 
at random and compute c = Enc (n,m,r). The output ciphertext is c £ C n . 
^.decrypt: Given the secret key factors(n) and a ciphertext c £ C„, output m = 
Dec(factors(n),c). 

Examples of single-key factoring-based cryptosystems as defined above are count- 
less: RSA 3 and its numerous variants OAEP [3], REACT-RSA [18], PKCSfyl 
vl.5 [21], Rabin and related systems (Rabin-Williams [22], Blum-Goldwasser 
[4], Chor-Goldreich [8], Rabin-SAEP [5]), Naccache-Stern, Okamoto-Uchiyama 
and the EPOC family [12,11], Paillier [19] and variants. Many elliptic-curve- 
based cryptosystems such as KMOV [15], Vanstone-Zuccherato or Demytko [9] 
also fall into this category. We refer the reader to the extensive literature on 
factoring and its applications to cryptography for more detail. 


2 R n is the empty set when encryption is deterministic. 

3 If the public exponent e is fixed (as usually done in practice), RSA decryption can 
be performed given the factors of n only. 



256 


P. Paillier and J.L. Villar 


Black-Box Reductions. Black-box reductions constitute a natural tool to re- 
late computational problems and capture the way most security proofs are con- 
structed. Given two computational problems Pi and P 2 , a black-box reduction 
from Pi to P 2 is a probabilistic algorithm 1Z which solves Pi with the help of 
an oracle solving instances of P 2 . 1Z interacts with the oracle strictly as defined 
by the specification of P 2 and in particular has no view on the internal tapes 
of the oracle. The (extra) time of 1Z is the number of elementary steps required 
by 1Z to complete given that oracle calls count for one step by convention. A 
black-box reduction is polynomial when it runs in polynomial extra time (in 
a security parameter). It is crucial to remind that 1Z can be polynomial even 
when no polynomial-time algorithm solving P 2 is known to exist. We denote by 
Pi <= P 2 the fact that Pi is polynomially black-box reducible to P 2 . We write 
Pi <=n when 1Z is known to reduce Pi to P 2 . Polynomial equivalence is 
denoted by Pi = P 2 . Succ (P,r) stands for the maximal success probability of 
probabilistic algorithms solving P in no more than r elementary steps. Similarly, 
Succ (Pi P 2 , t, £, i) stands for the maximal success probability of probabilistic 
algorithms solving Pi in no more than r elementary steps and at most l calls 
to an oracle solving P 2 with probability e. All the reductions considered in this 
paper are black-box. 

Security Notions for Factoring-Based Encryption. Security notions for encryp- 
tion schemes are obtained by combining an adversarial goal with an attack 
model. (Goals) We say that an encryption scheme is unbreakable (UBK) when 
one cannot extract the secret key matching a prescribed public key. The scheme 
is said to be one-way (OW) when no adversary can recover a plaintext given its 
encryption. Indistinguishability (IND, a.k.a. semantic security ) relates to the 
hardness of deciding whether a given ciphertext encrypts a given plaintext. 
(Attacks) We consider three attack models in this paper. In a chosen-plaintext 
attack (CPA), the adversary is given nothing more than the public key as in- 
put. In a plaintext- checking attack (PCA), the adversary is given access to a 
plaintext-checking oracle that tells whether a given ciphertext encrypts a given 
plaintext [18]. In a chosen-ciphertext attack (CCA), the adversary has access to 
a decryption oracle. Oracle access in OW-CCA, IND-PCA and IND-CCA games is 
limited in the sense that the adversary is not allowed to call the oracle on the 
challenge ciphertext itself. These definitions are classical. We refer to [1,18] for 
more detail on security notions for encryption schemes. 

For convenience, we denote security notions in apositive fashion e.g. OW-PCA [£] 
denotes the problem of breaking the one-wayness of £ under plaintext-checking 
attack. This convention allows one to easily describe hierarchies between security 
notions using reductions. When the focus is on an adaptive attack (i.e. either 
PCA or CCA), we denote by AGOAL-ATK[£] the problem of breaking GOAL in no 
more than l calls to the resource defined by ATK. Thus, breaking AIND-CCA {£] 
authorizes at most t calls to the decryption oracle to break IND. We recall 
that GOAL-CCA [£] <*= GOAL-PCA [£] <= GOAL-CPA [£] for any factoring-based 
encryption scheme £ and adversarial goal GOAL e {UBK, OW, IND}. We also 
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UBK-CCA [£] 

<F= UBK-PCA [£\ 

<= UBK-CPA [f] ee FACT [f. keygen] 

i 

if 

ii* 

OW-CCA [£] 

<S= OW-PCA \£\ 

<S= OW-CPA [£\ 


If 

if 

IND-CCA [£\ 

IND-PCA [£\ 

IND-CPA [£\ 


Fig. 1. Relations among security notions for single- key factoring-based encryption 

have UBK-CPA [£] = FACT [£. keygen]. We plot on Fig. 1 the map of security 
levels needed for the sake of this work. 

3 Impossibility Results for Key-Preserving Reductions 

In this section we focus on the standard-model security of single-key factoring- 
based encryption schemes. All black-box reductions known for such schemes are 
key-preserving , meaning informally that they make oracle calls to the adversary 
with the same key that they are given as input. We properly formalize this 
particular class of reductions in our setting 4 . 

3.1 Key-Preserving Black-Box Reductions 

Definition. We define key preservation for arbitrary security games related to a 
single-key factoring-based encryption scheme £ . Assume that Pi {£] and P 2 [£] 
are two computational problems (view Pi and P 2 as security notions) associated 
to £. Consider a black-box reduction algorithm TZ such that Pi [£] <=n Pi [£] , 
meaning that TZ makes oracle calls to an algorithm A breaking P 2 {£] to break 
Pi [£\. Let Keys(n, aux, zu) be the list (m, . . . , rip) of public keys given by 1Z as 
input to A where (n,aux) is the modulus and auxiliary input for which 1Z has 
to break Pi [£\ and zu e {0, l}P°b( fc ) denotes the random tape of TZ. Here the 
auxiliary input aux depends on the specification of Pi. Note that the number 
£ of oracle calls is a deterministic function of n, aux and m. TZ is said to be 
key-preserving when for any aux, vj and n € VlCk, either £ = 0 or n, = n for 

<e[ 1,4 

Key-preservation is transitive. It is obvious that if Pi [£\ <=n! Pi [£\ and Pi [£\ 
<=n 2 Pi [£] such that TZ 1 and TZ 2 are both key-preserving, then there is a key- 
preserving reduction TZ 3 such that Pi {£] <=n 3 Pi {£] ■ 

Reductions among security notions are key-preserving. We use later the prop- 
erty that all the straightforward black-box reductions between the classical 


4 A similar class of reductions for RSA encryption called simple reductions was recently 
considered by Brown [7]. 
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security notions for £ such as IND-CCA [£] <*= IND-PCA [£] and IND-CPA [£] <= 
OW-CPA [£] and so forth [1], are key-preserving. 

3.2 One-Wayness Versus Chosen-Ciphertext Security 

The following reformulates the observation made by Williams [22]. 

Theorem 1. Let £ be a single-key factoring-based, encryption scheme. If there ex- 
ists a polynomial key-preserving black-box reduction IZ such that FACT \£ .keygen] 
<=n OW-CPA [£\, then UBK-CCA [£] is polynomial. 

Proof. The main idea of the proof is basically a one-line statement and follows 
the reasoning of [22,13]. Let IZ be such a key-preserving reduction algorithm, i.e. 
an algorithm that factors a modulus n randomly selected by £ .keygen with non- 
negligible probability e-ji and extra time r given black-box access to an adversary 
A breaking OW-CPA [£] with probability at least e. We construct an adversary 
M against UBK-CCA [5]. 

Upon reception of the public key n in the UBK-CCA game, M runs 1Z on input 
n and uses the decryption oracle to simulate the OW-CPA adversary. Since by 
definition the decryption oracle decrypts any ciphertext with probability 1 > e 
in one elementary step, the simulation of A is perfect for any e £ (0,1). The 
simulation complies to the definition of 1Z because 7 Z is key-preserving. It is 
therefore crucial that this property holds otherwise M. can by no means satisfy 
the queries IZ makes to A. 

IZ eventually returns the factorization of n with probability e-n which M. then 
returns as output value. UBK-CCA [£] can therefore be broken with probability 
at least £n in extra time at most r. □ 

3.3 Indistinguishability Versus Plaintext-Checking Security 

Let us now consider IND-CPA [£\. We know that there is a key-preserving re- 
duction IND-CPA [£] <= OW-CPA [£] and also that key-preservation is transi- 
tive. Therefore Theorem 1 implies that there is no key-preserving reduction 
FACT [£ .keygen] 4= IND-CPA [£} unless UBK-CCA [£] is polynomial. But precisely 
because IND-CPA [£} is weaker than OW-CPA [£], a stronger incompatibility re- 
sult can be found. We state: 

Theorem 2. Let £ be a single-key factoring-based encryption scheme. If there ex- 
ists a polynomial key-preserving black-box reduction IZ such that FACT [£ .keygen] 
<=n IND-CPA [£] , then UBK-PCA [£] is polynomial. 

Proof. Let us first describe in more detail the game played by a key-preserving 
reduction IZ such that FACT [£. keygen] <=n IND-CPA [£]. Given a modulus n, 
IZ calls the adversarial oracle A breaking IND-CPA [£] as follows. When IZ calls 
*4(find, n), A outputs two plaintexts mo, mi £ M n of equal length. IZ then en- 
crypts mb for b <— {0, 1} as c& and calls *4(guess, c;,). A then returns its guess 
b £ {0, 1} to IZ and Pr[6 = b\ > e. We may assume w.l.o.g. that IZ never calls 
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M(guess, Cf,) before calling _4(find,n) first and always calls M(guess, q,) immedi- 
ately after A(£mA,ri), and that Cf, is always a proper encryption of mo or rn-[ . 
Let 21 be the total number of calls to A. Overall 1Z returns factors(n) with 
probability £jz and extra time r. 

We construct a trivial meta-reduction M. which converts the key-preserving 
black-box reduction 1Z into an adversary against UBK-PCA [£] and works with 
identical success probability in similar time. M. works as follows. Given a public 
key n <— £ .keygen, M runs 1Z on input n and simulates the distinguisher A using 
the plaintext-checking oracle of the UBK-PCA game. When 1Z calls _4.(find, n), 
M. returns two randomly selected plaintexts mo. mi <— M„ of equal length. 
When 1Z calls M(guess, c;,), M. sends (mi , C{,) to the plaintext-checking oracle and 
sends its output back to 1Z (recall that given (m, c) G M n x C n , the plaintext- 
checking oracle returns 1 if c encrypts m and 0 otherwise). Eventually 1Z stops 
and M. forwards the output of 7 Z. By definition, the plaintext-checking oracle 
distinguishes plaintext-ciphertext pairs with probability one and M. therefore 
provides a perfect simulation of A to 1Z for any e G (0,1). Hence M outputs the 
factors of n with identical probability s-jz in time T+2ip(k) where p(k) = poly (k) 
is the time needed to perform a random selection in M n . □ 

3.4 Separation Results 

Corollary 1. Let £ be a single-key factoring-based encryption scheme. Unless 
FACT \£ .keygen] is polynomial, there is no polynomial key-preserving black-box 
reduction FACT [£ .keygen] <= IND-CCA [£\. 

Proof. Assume that FACT [£ .keygen] IND-CCA [£] for some polynomial key- 

preserving black-box (PKPBB) reduction 7£i. Since there exists a PKPBB reduc- 
tion 1Z 2 such that IND-CCA [£] <=n 2 OW-CPA [£], there must be a PKPBB re- 
duction 1Z 3 such that FACT [£ .keygen] <=n 3 OW-CPA [£] by transitivity, resulting 
in that UBK-CCA [£] is polynomial by Theorem 1. Moreover since IND-CCA [£] <= 
UBK-CCA [£], one gets that IND-CCA [£] is polynomial and therefore that 
FACT [£ .keygen] is polynomial as well. □ 

Similar impossibility results are found for other security notions such as 
OW-CCA [£] and IND-PCA [£] using Theorem 2. 

The Typical Example of Rabin-SAEP. We illustrate the importance of Corol- 
lary 1 by deducing a uninstantiability result for Rabin-SAEP. We first recall 
the definition of Rabin-SAEP [5]. Let s m ,so,si be security parameters and 
k = Sm + so+si- H denotes a fixed-size hash function H : {0, 1} S1 — > {0, l} s "*+so 
Here k plays the role of security parameter and the security proofs in [5] view 
s m , So , Si as polynomial functions of k. 

Rabin-SAEP. keygen : Given l fe , generate a (k + 2)-bit RSA modulus n = pq, 
bl = k/l = \k/2] + 1, p = q = 3 mod 4 and n G [ 2 fc+1 , 2 k+1 + 2 k ). The secret 
key is factors(n) = (p, q) while the public key is n. 
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Rabin-SAEP. encrypt : Given a public key n, the message space is M n = {0, l} Sm 
and the random space is R n = {0, 1} S1 . For (to, r) £ M„ x R„, Enc (n,m,r) is 
defined as (((to || 0 S °) ® H{rj) || r) 2 mod n. The ciphertext space is C„ = Z n . 

Rabin-SAEP.decrypt : Given c £ C n and (p,q), compute z p = e&’+i)/ 4 mod p 
and z q = c ( ' i+ b/ 4 mod q. Output T if c mod p or z* ^ c mod q. Among 
the four values CRT(± 2 p , ±z q ), select the only one y such that y < n / 2 and 
y can be parsed as ((to || 0 S °) ® H{r)) || r for some (to, r) £ M„ x R n . If this 
fails or can be done for more than one value for y, output _L. Otherwise 
output TO. 

It is easily seen that Rabin-SAEP is a single-key factoring-based encryption 
scheme as per the definition of Section 2. We refer to [5, Section 4] for a proof 
that Rabin-SAEP is chosen-ciphertext secure under the factoring assumption in 
the RO model: 

Theorem 3 (RO-model security of Rabin-SAEP [5]). Let us view H as a 
random oracle. There exists a PKPBB reduction 1Z such that FACT [Rabin-SAEP. 
keygen] 4= w IND-CCA [Rabin-SAEP . 

We now state that for any instantiation of H, Rabin-SAEP does not admit a 
standard model counterpart of Theorem 3. This impossibility result comes as a 
direct application of Corollary 1 . 

Theorem 4 (Standard- model security of Rabin-SAEP). Assuming 
FACT [Rabin-SAEP. keygen] is intractable, there exists no PKPBB reduction 
FACT [Rabin-SAEP. keygen] ^ IND-CCA [Rabin-SAEP], 

Similar separations can be obtained for a wide range of factoring-based en- 
cryptions which chosen-ciphertext security is shown to be equivalent to fac- 
toring through key-preserving reductions in the RO model such as Rabin/ 
RW-SAEP[+]/OAEP [+][+] /REACT, EPOC-2 [11], etc. 

What Goes Wrong in the RO Model. Consider the meta-reduction A4 in the proof 
of Theorem 1. M. cannot make any appropriate use of a key-preserving reduction 
1Z standing in the RO model. In a typical random-oracle-based reduction, the 
random oracles of £ are simulated by 1Z. This additional power is beneficial to 
1Z which introduces some form of correlation between its own variables and the 
responses of the simulated oracles. In a sense, 1Z is not totally black-box i.e. does 
not only rely on the input-output behavior of the OW-CPA adversary because 
1Z controls the interactions between the adversary and the random oracles to 
increase its success probability. 

In the chosen-ciphertext security game, however, the decryption oracle makes 
implicit calls (i.e. not controllable by any simulator) to the random oracles. 
Therefore, the meta-reduction cannot influence the decryption procedure by 
mimicking TZ and consequently, can by no means correlate the internal vari- 
ables of the decryption oracle to its own variables the same way 1Z does with the 
OW-CPA adversary. This explains why the RO model is unaware of incompati- 
bilities in a general sense. 
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4 Extended Results for Non-malleable Key Generation 

What we are after in this section is a way to strengthen the previous impossibility 
results. Recall we had to restrict the scope of Theorems 1 and 2 to key-preserving 
security reductions because the meta-reduction M was unable to simulate the 
adversary A when 7Z makes oracle calls to A with arbitrary moduli. Our approach 
is to explicitly assume, as a property of the key generation of £, that calling 
A with «' f n is essentially of no help to 1Z anyways. It appears that one 
faces definitional options when capturing this in a formal way: what we provide 
hereafter is the simplest definition that is strong enough for our purposes. This 
in turn allows us to consider arbitrary black-box reductions at the expense of 
making a complexity assumption on the key generation of £ . 

4.1 Defining Non-malleable Generators 

Intuition. An instance generator Gen is said to be malleable if factoring a ran- 
domly selected instance n <— Gen(l fe ) becomes substantially easier when given 
repeated access to an oracle which factors other instances n' ^ n for n' £ VlCk- 
A typical example of malleability is when VlCk contains integers of variable size 
and number of prime factors. It is indeed trivial to factor n given an oracle that 
factors n' = an if it happens that both n and n! are proper elements of VlCk- 
We observe that most factoring-based cryptosystems define instance generators 
which precisely tend to avoid this malleability property by construction (see 
Section 2). What we need for our purposes is to define non-malleability in a 
strong sense. 

Definition. To properly capture non-malleability, we define two games in which 
a probabilistic algorithm TZ attempts to factor n <— Gen(l fc ) given access to 
an oracle A(n, aux) solving with probability one some computational problem 
reducible to FACT [Gen] . Here, A models the computational resources 1Z has 
access to and aux stands for any auxiliary input given to the oracle A depending 
on how A is specified. We may write A(n, •) instead of A(n, aux) to notify that 
aux is chosen freely and arbitrarily by TZ when A is called. Since we impose that 
oracle A be perfect, we can abuse notations and identify A to the problem solved 
by A. A typical example of computational resources modelled by A is when A 
is polynomial (in which case TZ is given no extra power), but one may consider 
problems reducible to FACT [Gen] that do confer a computational advantage to 
7 Z, such as distinguishing quadratic residues modulo n, extracting e-th roots 
for gcd(e, <p(n)) - 1 and so forth. In any case, we require A to be perfectly 

reducible to FACT [Gen] in polynomial time, that is, for any n £ VlCk and any 
admissible value for aux, A(n, aux) must be solvable with probability one in 
time t, 4 = poly (k) given factors(n). In Game 0, the success probability of 1Z is 
defined as 

Suc C Q e a n me 0 (TZ, A, t , £) = Pr |n <— Gen(l fc ) : TZ A ^-\n) = factors(n)] 
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where the probability is taken over the random tapes of 1Z and A, 1Z runs in 
extra time at most r and makes at most £ queries to A(n, •). We further define 

Succgr ° (A r, £) = max Succjf e ame 0 (1Z, A, r, £) 

where the maximum is taken over all probabilistic algorithms 1Z playing Game 0. 
This can be interpreted as the success probability of the best reduction that 
makes use of A(n, aux) to factor n for the given reduction parameters ( t, 1) . In 
Game 1 , the reduction 1Z is given, in addition to A, access to an auxiliary oracle 
FACT(-) that factors integers n! £ VfCk \ {n} with probability one. Its success 
probability Succg a n me 1 (1Z, A, r, l) is then 

Pr [n <- Gen(l fc ) : 7^ (n ’- ) ’ FACT( ' ) (n) = factors(n)] 

where the probability is taken over the random tapes of 1Z and A, 1Z runs in extra 
time at most r, makes tj± calls to A(n, ■) and Ifact calls of the type FACT (n') 
with n! £ VKk \ {n} such that £4 + ^fact < l- Let us define 

Succg? n me 1 (A, t, i) = max Succ£ e a n me 1 (K, A, r, £) 

where the maximum is taken over all probabilistic algorithms 1Z playing Game 1. 
This measures the success probability of the best reduction that uses simulta- 
neously oracles A(n, •) and FACT(-) to factor n in time r and totalling no more 
than £ oracle calls. We finally define the malleability of Gen as 

^Gen (t,I) = ^max [Gen] |Succg? n me 1 (A, t, £) - Succg ame 0 (A,t,£) | , 

where the maximum is now taken over all computational problems A perfectly 
reducible to FACT [Gen] in polynomial time. 

Remark 1. It is easily seen that Z\cen (r,0) = 0 for any r > 0. 

Definition 1 (Non- Malleable Instance Generators). We say that an in- 
stance generator Gen is non-malleable when ZiGen (t, £) remains polynomially neg- 
ligible in k when r = poly ( k ) and £ = poly (k). 

Remark 2. The purpose of Game 0 is to include all key-preserving reductions 1Z 
such that FACT [Gen] <<=ti A. Since the success probability e of the adversarial 
oracle plays no role in the proofs of Theorems 1 and 2, these can be reformulated 
as follows. For any positive integers r, £: 

Th. 1: Succ° a k “ a g ° n (OW-CPA [£] , t, £) < Succ (GUBK-CCA [£} ,r) 

Th. 2: Succg k ™yg° n (IND-CPA [£\ , t, £) < Succ (GUBK-PCA [£\ , r+ 2£p(k)) 
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4.2 A Fundamental Lemma 

We now come back to our earlier discussion about extending the scope of The- 
orem 1 and dealing with 1Z calling A with arbitrary moduli n' ^ n. The oracle 
calls 1Z makes to A are now of two types: calls with the same modulus n (key- 
preserving calls) and calls with n! ^ n (non-key-preserving calls). Our definition 
of non-malleability allows us to limit the computational advantage conferred to 
1Z by its non-key-preserving calls. 

Lemma 1. Let Gen be an instance generator and let A be a computational prob- 
lem perfectly reducible to FACT [Gen] in time t A . Then for any positive integers 
r,f and any s £ (0, 1), 

Succ (FACT [Gen] 4= A, r, e, t) < Succg ame 1 (A, r + £ ■ t A , t) . 

Proof. Recall that A denotes a computational problem here. Assume 1Z (r, e, £)- 
solves FACT [Gen] <= A i.e. factors n <— Gen(l fe ) in extra timer with no more than £ 
calls to an oracle An solving A with probability e. Let sn be the success probability 
of 1Z. We construct an algorithm M which plays Game 1 with respect to a perfect 
oracle Am f° r A. and succeeds with identical probability and similar running time. 
Algorithm M. works as follows. Given a randomly selected modulus n <— Gen(l fc ), 
M. runs 1Z on input n. Now when 7 Z calls An(n, aux), M. calls Am (n, aux) and 
forwards the output to 1Z. When 7 Z calls An(n' ■ aux) for n! £ VICk \ {«}. M. calls 
FACT(n') to get factors(n / ) and solves A{n' , aux) in time t A . M. then returns the 
result to 1Z. 1Z eventually stops and M returns the output of 1Z. The simulation 
of An is perfect for any e G (0, 1). M requires extra time at most r + £ ■ t A and 
makes at most t calls to oracles Am and FACT (•) altogether. □ 

4.3 Extended Separation Results 

Theorem 5. Let £ be a single-key factoring-based encryption scheme and 
assume £. keygen is non-malleable. If FACT [£. keygen] <*= OW-CPA [£] then 
UBK-CCA [£] is polynomial. 

Proof. Let us consider A = OW-CPA [£]. Obviously A is perfectly reducible to 
FACT [£ .keygen] since given any n e VICk, aux = c6 C„ and factors(n), A(/n. aux) 
is solved by computing m = Dec(factors(n) , c) in time t A = poly(fc). Applying 
Lemma 1, we get for any r, l and e £ (0, 1): 

Succ (FACT [f .keygen] <s= OW-CPA [£} , r, e, I) 

< Succ“ en (OW-CPA {£] , r# #• poly (k) , l) 

< Succ° a k ” e g ° en (OW-CPA [£],t+ £■ poly (k ) , £) + A Gen (r + T poly (k) , l) 

< Succ (l-UBK-CCA [£] , r + £■ poly (k)) + A Gen (r + C- poly (k) , t) . 


We now extend asymptotically the above to = poly (A;). Since £. keygen is 
non-malleable, the malleability term A Gen (t + A- poly (k) , t) remains negligible. 
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Since Succ (FACT [£ .keygen] <*= OW-CPA [£] , r, e, £) is non-negligible by assump- 
tion, Succ (f-UBK-CCA [£\,t + T poly (k)) must be non-negligible as well, thereby 
giving the result. □ 

The same proof technique applies to IND-CPA [£\ and shows that there exists no 
reduction FACT [£. keygen] - 4 = IND-CPA [f] unless UBK-PCA [£] is polynomial or 
£. keygen is malleable. Based on a reasoning similar to the proof of Corollary 1, 
we deduce from these incompatibilities that: 

Corollary 2. Let £ be a single-key factoring-based encryption scheme and as- 
sume £. keygen is non-malleable. There is no polynomial black-box reduction 
FACT [£ .keygen] <= IND-CCA [£] unless FACT [£ .keygen] is polynomial. 

To exemplify Corollary 2, we provide this extended impossibility result for Rabin- 
SAEP. 

Theorem 6 (Standard-model security of Rabin-SAEP, revisited). As- 
sume Rabin-SAEP. keygen is non-malleable. Then Rabin-SAEP admits no in- 
stantiation in the standard model which is chosen-ciphertext secure under the 
factoring assumption i.e. for any instantiation of H, 

IND-CCA [Rabin-SAEP] ^ FACT [Rabin-SAEP. keygen] . 

Similar uninstantiability results hold for single-key factoring-based encryption 
schemes which chosen-ciphertext security is shown to be equivalent to factoring 
in the RO model. Again, these stronger separations are effective only when the 
underlying key generation is non-malleable. In other words, either these encryp- 
tion schemes do separate the RO model from the standard model in a very strong 
sense, or their key generation must be malleable along the lines of Definition 1. 

5 Overcoming Uninstantiability 

Keyed Paddings. At first look, including some additional key material such as 
a random string in the public key seems to invalidate our impossibility results 
completely. Typically the extra parameter can serve as a function index in a 
keyed family of hash functions. This seems to be an efficient countermeasure 
for single-key factoring-based encryption making use of encryption paddings 
which, unlike S AEP [+] /OAEP [+][+] , Fujisaki-Okamoto and REACT, include 
keyed hash functions. 

Encryption Twinning. Naor and Yung [17] and Dolev, Dwork and Naor [10] 
suggested transformations which when applied to I ND- CPA-secure encryptions 
such as Blum-Goldwasser [4] or Chor-Goldreich [8] may lead to IND-CCA-secure 
schemes under the factoring assumption. The transformed schemes use pub- 
lic keys containing two or more independently generated moduli with respect 
to the basic scheme. This paradigm makes it possible to generically construct 
a larger class of factoring-based cryptosystems which IND-CCA-security can 
possibly be proven equivalent to factoring, thereby escaping all incompatibil- 
ity results described earlier. We comment that the cornerstone of Theorem 1 
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resides in that the decryption oracle provided in the UBK-CCA game can serve 
as a factoring algorithm when interfaced with the black-box reduction 1Z. We 
now see how encryption twinning prohibits such a use of the decryption ora- 
cle. The public key in a Naor-Yung- transformed encryption scheme NY (£) is 
(ni,ri 2 ,r) where ni,ri 2 <— £. keygen and r is a random string used to gen- 
erate NIZK proofs during encryption. An encryption of m £ M ni D M n2 is 
(ci = Enc(ni,m, ri),C 2 = Enc(n 2 , to, r^), n) where n is a proof that c\ and C 2 
encrypt the same plaintext. Now assume (as typically the case with single-key 
factoring-based encryption) there exists an efficient way to generate a random- 
looking ci such that its decryption Dec(factors(ni), ci) leads to an immediate re- 
covery of factors(ni). In a typical reduction 7 Z from FACT [£ .keygen] to breaking 
the OW-CPA security of NY(£), 1Z takes as input a modulus m <— £.keygen(l fe ) 
but generates by itself the second key pair (ri 2 , factors(ri 2 )) <— £.keygen(l fc ) and r 
to constitute a public key pk = (m, 712 , r). Since 1Z fully controls the generation of 
ri 2 and r, 1Z can use the simulator of the underlying NIZK proof system to create 
a valid encryption c = (ci, C 2 , n) for a random ci. Calling the OW-CPA adversary 
will then provide Dec(factors(ni), ci), thus allowing 1Z to factor m. The meta- 
reduction M playing the UBK-CCA game against NY(£) however, is given some 
public key PK = (Ni, 7V 2 , R) and a decryption oracle implicitly parameterized by 
PK. Since 1Z takes as input a single modulus and generates by itself the rest of the 
public key to be given to its adversarial oracle, M. cannot, even if 1Z is run on in- 
put Ni, use the decryption oracle to answer the request (s) ((iVi, ri 2 , r), (ci, C 2 , 7r)) 
made by 1Z because Pr [712 ^ V r ^ R] is overwhelming. 

6 Are Key Generators Non-malleable? 

Our extended impossibility results apply to single-key encryption schemes based 
on non-malleable key generation. We conjecture that most instance generators 
are in turn non-malleable and expect to see further research works based on 
this property in the future. A possible improvement of this work would be to 
give a formal proof of non-malleability for commonly referred generators such as 
RSA-3 or Sophie-Germain using computational number theory. Another issue is 
the design of non-trivial examples of malleable key generators. 
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Abstract. We describe a strategy for finding small modular and integer 
roots of multivariate polynomials using lattice-based Coppersmith tech- 
niques. Applying our strategy, we obtain new polynomial-time attacks 
on two RSA variants. First, we attack the Qiao-Lam scheme that uses a 
Chinese Remaindering decryption process with a small difference in the 
private exponents. Second, we attack the so-called Common Prime RSA 
variant, where the RSA primes are constructed in a way that circum- 
vents the Wiener attack. 

Keywords: lattices, small roots, Coppersmith’s method, RSA variants, 
cryptanalysis. 

1 Introduction 

Since Coppersmith introduced new ways of finding small modular and integer 
roots of polynomials in 1996 [4,5,6], variations of these methods have been widely 
used in the field of cryptanalysis. Let us give an example that demonstrates the 
usefulness of computing small roots. In the case of RSA, the public variables 
( N , e) and the secret variables (d, p, q) satisfy the relation 

ed — 1 = k(N — (p + q— 1)), for some (unknown) k. 

It is known that one can use Coppersmith techniques to try to find the integer 
root (d,k,p + q— 1) of the polynomial f(x, y, z) = ex — yN + yz — 1, and hence 
recover the factorization of N. Alternatively, one could look for the modular root 
(k,p+ q — 1) of f e (y,z) = y(N — z) + 1 modulo e. 
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The success of the application of a Coppersmith technique depends on the size 
of the root. More precisely, the analysis of the attack results in a bound on the 
size of roots that can be found with this method in polynomial time. For the case 
of finding the root (y(°\z^) = (k,p + q — 1) of f e (y, z ) = y(N — z) + 1 modulo 
e in the example above, Boneh and Durfee [1] used a Coppersmith technique to 
obtain the bound 

y 2+3r z l+3r+3r 2 < gl+Sr, for | y (0)| < y and \z^\ < Z , 

where r > 0 can be optimized once the sizes of Y, Z, and e are known. This led 
Boneh and Durfee to show that for d < JV 0 284 the secret RSA parameters can 
be recovered in polynomial time, which they later refined to d < N °- 292 in the 
same work [1] . 

Since the analysis of a polynomial / of which we wish to find a small root 
heavily depends on the monomials that appear in /, each new polynomial has 
to be analyzed anew. This is typically a tedious and non-trivial task. In 2005, 
Blomer and May [3] showed how to find optimal bounds for small integer roots of 
bivariate polynomials. In this paper we present a heuristic strategy that applies 
to all multivariate polynomials; having either modular or integer roots. 

We apply our strategy to derive new heuristic attacks on two RSA variants, 
using a polynomial that arises in their cryptanalysis. In the first system, the 
Chinese Remainder Theorem is used in the decryption phase, with the special 
property that d p = d mod (p— 1) and d q = d mod (q— 1) have a fixed difference 
d p — d q . This scheme was proposed in 1998 by Qiao and Lam [17] who suggested 
to use the small difference d p — d q = 2. The benefit of the Qiao-Lam scheme is 
that one has to store only one out of the two keys d q , d q and the small difference 
itself. Up to now, the best attack on the Qiao-Lam scheme was a meet-in-the- 
middle attack with time and space complexity 0{sjvcmi{d p , d q }} [17]. 

Qiao and Lam proposed to use a 1024-bit modulus N with 128-bit d p , d q . 
Moreover, they argued that in practice 96-bit private exponents should provide 
sufficient security. Our results show that private exponents up to IV 0 099 can be 
recovered in polynomial time. Hence, for 1024-bit RSA moduli one can recover 
96-bit d p , d q in polynomial time. Furthermore, attacking 128-bit private expo- 
nents should also be feasible with our attack by adding some brute force search 
on the most significant bits. We confirm the validity of our heuristic attack 
by providing several experiments. Although recovering 96-bit private exponents 
can theoretically be done in polynomial time, in practice it turns out to be 
a non-trivial task since it requires an LLL-lattice basis reduction [13] in large 
dimension. 

We would like to point out that our attack works whenever max{d p , d q } < 
jyO-099— e f or some arbitrarily small constant e, and the difference d p —d q is known 
to the attacker. We do not require that the difference d p — d q itself is a small 
constant like in the Qiao-Lam scheme. 

As a second application of our strategy, we give a new attack on an RSA 
variant called Common Prime RSA. This variant was originally proposed by 
Wiener [19] as a countermeasure for his attack on small secret exponents d< N*. 



A Strategy for Finding Roots of Multivariate Polynomials 269 


The suggestion is to choose p. q such that p—1 and q—1 share a large gcd. In 
1995, Lim and Lee [12] used this Common Prime RSA variant in a server-aided 
RSA protocol, which was attacked in 1998 by McKee and Pinch [15]. Recently, 
Hinek [9] revisited the Common Prime RSA variant. He proposed several RSA 
parameter settings with secret exponents less than N*. However, our second 
heuristic attack shows that parts of the proposed key space lead to polynomial 
time attacks on RSA. We demonstrate the practicality of our second attack by 
providing several experiments that recover the RSA secret information. 

2 Finding Small Roots 

In this section we describe some tools that we use to solve the problem of finding 
small roots, for both the modular and the integer case. Moreover, we present our 
new strategy. 

In [4,5,6], Coppersmith describes rigorous techniques to find small integer 
roots of polynomials in a single variable modulo N, and polynomials in two 
variables over the integers. The methods extend to more variables, making them 
heuristical. Howgrave-Graham reformulated Coppersmith’s ideas of finding mod- 
ular roots in [11], of which we use the following (generalized) lemma. 

Lemma 1 (Howgrave-Graham). Let h(x i, . . . , x n ) £ Z[aq, . . . , x n ] be an 
integer polynomial that consists of at most u> monomials. Suppose that 

(1) h(x^\ . . . ,Xn^) = 0 mod N for some |ar^| < X\, . . . , |a4°^| < X n , and 

(2) || h(x 1 X 1 ,...,x n X n )\\<.^. 

Then h(x^\ . . . , a;^) = 0 holds over the integers. 

In Lemma 1 the norm of a polynomial f(x i, . . . , x n ) = ^ a h...i„ x l \ ■ ■ ■ x n is the 
Euclidean norm of its coefficient vector: ||/(xi, . . . ,x n )\\ 2 := l a u...ij 2 - 

Howgrave-Graham’s lemma is usually combined with LLL reduction of lattice 
bases, designed by Lenstra, Lenstra, and Lovasz [13]. A proof of the following 
fact can be found in [14] . 

Fact 1 (LLL). Let L be a lattice of dimension u>. In polynomial time, the LLL- 
algorithm outputs reduced basis vectors Vi, 1 < i < u) that satisfy 

lh.|| < INI < < INI < 2T^ldet(L)^. 

Thus the condition det(L) "+'-* < -^= implies that the polynomials 

corresponding to the shortest i reduced basis vectors match Howgrave-Graham’s 
bound. This reduces to 

det(L) < 2 ^F ii ( 1 )^+ 1 -* iV “+ 1 -h 

Vw 

In the analysis, we let terms that do not depend on N contribute to an error 
term e, and simply use the determinant condition det(L) < N L0+1 ~ l . 
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2.1 Strategy for Finding Small Modular Roots 

We will now describe our strategy to find small modular roots of polynomials. 
Suppose we want to find a small root (x^ , . . . , x„^) of a polynomial /at modulo 
a known composite integer N of unknown factorization. We assume that we 
know an upper bound for the root, namely \x[ / ° > < Xj for some given Xj, for 
j = l,...,n. 

Let l be a leading monomial of /at , with coefficient a;. That is, there is no 
monomial in f N besides l that is divisible by l. Then gcd(A, ai) is 1, or else we 
have found a factor of N. Therefore, we can use /at — a i 1 /at mod N. 

We start by explaining the basic strategy to find the small modular roots, 
after which we extend it slightly to obtain the full strategy. 

Basic Strategy: Let e > 0 be an arbitrarily small constant. Depending on i, 
we fix an integer m. For k £ {0, . . . , m + 1}, we define the set M / c of monomials 
Mfc := {x^x?, 2 . . . x^ n | x^xJ, 2 ■ ■ ■ x^ n is a monomial of 

and Xl a ' 2 ^ fc — is a monomial of 

In this definition of M i~ and throughout this paper, we assume that the monomi- 
als of /jv, • • • , /at - 1 are all contained in the monomials of /™. If this is not the 
case, the definition can be slightly changed such that M k contains all monomials 
x^xJ, 2 ■ ■ ■ x'n of f 3 N for j e {1, . . . , m} for which Xl x \ k " Xn is a monomial of f l N 
for some i £ rn — k}. Notice that by definition the set Mo contains all 

the monomials in whereas M m+ \ = 0. 

Next, we define the following shift polynomials: 

9n...i n {x\,...,x n ) := Xl X2 lk " Xn f N {x 1 ,...,x n ) k N m - k , 

for k = 0, . . . , m, and x^x 1 ^ ■ ■ ■ x\ £ Mk\Mk+i. 

All polynomials g have the root (x^ , . . . , modulo N rn . We define a lat- 
tice L by taking the coefficient vectors of g(x \X \, . . . , x n X n ) as a basis. We can 
force the matrix describing L to be lower triangular, if we use the following 
ordering of the columns of the matrix. A column corresponding to the mono- 
mial x 1 ^ . . . x®” £ Mk\Mk + 1 has smaller order than a column corresponding to 
xj 1 . . . x^ n £ Mfc/\Mfc/ + i if k < k! . If k' = k, then a lexicographical ordering 
of the monomials is used. The columns in the lattice basis appear in increasing 
order from left to right. The diagonal elements are those corresponding to the 
monomial l k in {f' N ) k for each row. Therefore, the diagonal terms of the matrix 
are A, 1 A.] 2 . . . A* n N m ~ k for the given combinations of k and ij. 

The intuition behind the choice of the sets Mk can be explained as follows. 
We aim to have a matrix with a low determinant. To keep the diagonal element 
corresponding to the monomial x'j 1 x’^ . . . x l r ” of In as small as possible, we use 
the largest possible powers of /at in the shifts. The condition that Xl X2 lh " Xn is 
a monomial of ensures that no monomials appear that are not in ftf. 
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For a small example, consider the polynomial /at (x, y) = 1 + xy 2 + x 2 y. Let us 
take l = x 2 y as our leading term, and m = 2. We want to build a lattice whose 
columns correspond to the monomials {1, xy 2 , x 2 y, x 2 y A , x 3 y 3 , x A y 2 } of The 
shifts given by our strategy are: 

for 1 e M 0 \M r . N 2 for x 2 y e Mi\Af 2 : f N N 

for xy 2 6 Mq\M\: xy 2 N 2 for x 3 y 3 S Mi\M 2 : xy 2 faN: 

for x 2 y A e M 0 \M i: x 2 y A N 2 for x A y 2 6 M 2 \M 3 : f 2 

Note that the monomial x 2 y A is not in M\ . Although x 2 y 4 is divisible by l = x 2 y 

and therefore we could obtain x 2 y A also by using the shift '//nN, the product 
y 3 fN would produce the new monomials y 3 and xy 5 , which are not in f% . 

In general, we find that our condition det(L) < ^ derived from 

Lemma 1 and Fact 1, reduces to 

" s and 

JJ-Xj* < N SN , for t (1) 

1 =1 1 SN = YJk = 0 K\ M k\ - |Mfc+i|) = YJk = 1 \ M k\ 

If we follow this procedure for a given /jv, then (1) will give us an upper bound 
on the size of the root that we are trying to find. For Xj and N satisfying this 
bound we obtain n polynomials hi such that hi(x^\ . . . , x„^) = 0. If the poly- 
nomials hi are algebraically independent, i.e. they do not share a non-trivial gcd, 
then resultant computations will reveal the root. Under Assumption 1 this will 
lead us to finding (x \ 0 ^ , . . . , x„^). 

Assumption 1. The resultant computations for the polynomials hi yield non- 
zero polynomials. 

All methods for n > 2 have a similar assumption concerning the algebraic inde- 
pendence of the polynomials hi . Therefore one has to keep in mind that (most) 
attacks using Coppersmith techniques are heuristical, and experiments must be 
done for specific cases to justify the assumption. 

Extended Strategy : For many polynomials, it is profitable to use extra shifts of 
a certain variable. For instance, if we use extra shifts of x\, then we can extend 
our basic strategy by using 

Mfe := |^J {x l f + ^x l f . . . x | x l fx l 2 ■ ■ ■ x is a monomial of fjf 
o <j<t 

and Xl X2 “ Xn is a monomial of 

Moreover, extra shifts of several variables, or combined shifts should be consid- 
ered to obtain an optimal bound. 

Using this new definition of M*,, the rest of the strategy conforms to the basic 
strategy as described before. In Appendix A, we show how the known results on 
small modular roots from [1,2,6] are all special cases of our basic or extended 
strategy. 
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2.2 Strategy for Finding Small Integer Roots 

Coron reformulated Coppersmith’s method of finding small integer roots in [7]. 
Essentially, Coron picks a ’suitable’ integer R and transforms the situation into 
finding a small root modulo R, after which one can apply Howgrave-Graham’s 
lemma. Analogous to Coron, we will now present our heuristic strategy for finding 
small integer roots of multivariate polynomials. The result is an extension of the 
result given by Blomer and May [3], that was meant for the provable special case 
of bivariate polynomials. 

We note that one could also use Coppersmith’s original technique instead 
of Coron’s reformulation. The advantage to do so is that in the original Cop- 
persmith technique, lattices of smaller dimension are required. The asymptotic 
bounds obtained by both methods are equivalent, but the difference is in the size 
of the error term e. For this paper, we have chosen to use Coron’s method for 
the sake of a simpler notation, an easier implementation and for its similarity to 
the modular approach. 

Suppose we want to find the small integer root (ar^ , . . . , xf 5 - ) of an irreducible 
polynomial /. We know that the root is small in the sense that |a^ < Xj, for 
j = !.•■•, n- 

Analogous to Section 2.1, we fix an integer m depending on A We call dj the 
maximal degree of xj in /, and W the maximal coefficient of f{x\X i, . . . , x n X n ). 
We will use W — ||/(xiXi, . . . , a?»A’n)||,«!> with II f(%u • • • > ®n)||oo := max | \ 
for f(x i, . . . , x n ) = a n...i n x i ■ ■ ■ x n as a notation. Moreover, we define R = 
W rij=i Xf {m A To work with a polynomial with constant term 1, we define 
/' = c/,Q 1 / mod R, where ao is the constant term of /. This means that we should 
have ao ^ 0 and gcd(ao, R) = 1. The latter is easy to achieve, analogous to [7, 
Appendix A], since any Xj with gcd(ao, Xj) A 1 can be changed into an Xj such 
that Xj < Xj < 2Xj and gcd(ao, Xj) = 1. The same holds for W. 

Let us now consider the case ao = 0. In [7, Appendix A], Coron discussed this 
case for bivariate polynomials, and showed a simple way to transfer a polynomial 
/ with zero constant term into a polynomial /* with non-zero constant term. 

A general way to do this for multivariate polynomials would be the following. 
First, we find a non-zero integer vector (j/i, . . . , y n ) such that f(yi, . . . , y n ) 0. 
This can be constructed in polynomial time since there are only polynomially 
many roots within the given bounds. Then we define f*(x i, . . . , x n ) := f(x\ + 
j/i , . . . , x n + y n ), and look for roots of /*. Since /*( 0, . . . ,0) = f(yi, ■ ■ ■ ,y n ), /* 
has a non-zero constant term. 

We would like to point out that the switch to /* will affect the set of mono- 
mials, and new monomials may appear in /* that were not in /. This may affect 
the analysis and lead to a different Coppersmith-type bound. This issue already 
appears with bivariate polynomials, but it did not affect Coron’s analysis since 
in his case the set of monomials stayed the same. 

Let us now describe our strategy for finding integer roots. As before, we start 
with the basic strategy, that we extend later to obtain the full strategy. 
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Basic Strategy: Let us first fix an arbitrarily small error term e. We define an 
integer m depending on |. Furthermore, we define the sets S and M of monomials 
that represent the monomials of / m_1 and f m respectively. We denote by lj the 
largest exponent of Xj that appears in the monomials of S, i.e. lj = dj(m— 1). 

Next, we define the following shift polynomials 

g : x^x% . . . x\*f{x i, . ..,x n ) n"=i x \ rH > for x^xg ... x% € S, 

g' : x l ^x l 2 ■ ■ ■ x l ™R , for x^x^ . ■ ■ x l ™ € M\S. 

All g and g' have the root (a;^, . . . , Xn ] ) modulo R. The coefficient vectors of 
g(x 1 X 1 , . . . x n X n ) and g'{x\X\, . . . x n X n ) form a lattice basis of a lattice L. 

Using lexicographical ordering of the monomials, we can order the basis matrix 
such that it is upper triangular. The diagonal elements of the rows of g are those 
corresponding to the constant term in /'. Therefore, the diagonal entries of the 
matrix are Ylj =i xf^ m ^ for the polynomials g and W n"_i X'-' 3<rn ' ,+t ' for 
the polynomials g'. 

From Section 2, we know that the determinant condition det(L) < i?“ +2_rt 
ensures that the n — 1 smallest vectors in an LLL reduced basis of L correspond 
to n — 1 polynomials hi(x i, . . . x n ) with hi{x^\ . . . , Xn^) = 0. 

We find that the condition det(L) < R u +‘ 2 ~ n reduces to 

Y[ X s / < W sw , for Sj = U • and •‘>’vv = I -SI- (2) 

f =1 

So if (2) holds, we obtain n — 1 polynomials hi such that hi(x^\ . . . , ) = 0. 

The choice of R ensures that the /i, are independent of /. This is because all hi 
are divisible by n"=i X^ :i(m ^ i > . According to a generalization by Hinek/Stinson 
[10, Corollary 5] of a lemma of Coron [7] , a multiple h(x i , . . . , x n ) of f(xi , . . . , x n ) 
that is divisible by n"=i X^ :i (m ^ has norm at least 

2 -(/>+i) n +i = 2~( p+1)n+1 R, 


where p is the maximum degree of the polynomials /, h in each variable sepa- 
rately. If we let terms that do not depend on R contribute to e, it follows that 
if hi satisfies Howgrave-Graham’s bound \\hi{x\X\, . . . ,x n X n )\\ < -^=, then it 
also cannot be a multiple of /. Since we assume that / is irreducible, it follows 
that / and hi must be algebraically independent. However we cannot prevent 
that the hi are pairwise algebraically dependent. So the resultant computations 
of / and hi (for i = 1, . . . , n — 1) will only reveal the root under Assumption 1. 
This makes the techniques heuristical for n > 3. 

Extended Strategy: As in the modular case, our strategy is not finished before 
exploring the possibilities of extra shifts of a certain variable (or more variables). 
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Suppose we use extra shifts of the variable x\. Then, instead of S = 
{monomials of / m_1 }, and M = {monomials of f m }, we use 

S = Uo<j<t{ ;E i 1+ ' 7a: 2 2 • • • x r? I ^l 1 ^ 2 ■ ■ - x tT is a monomial of / m_1 }, 

M = {monomials of x^x 1 ^ ■ ■ ■ x 1 " ■ f \ x^x’g . . . x l " £ S}. 

With the new definitions, the rest of the strategy conforms to the basic strat- 
egy as described above, except for the value of R. It is necessary to change R = 
W n"=i xf 1 ^ into R = WUU Xj 1 , where lj is the largest exponent of Xj 
that appears in the monomials of S. In Appendix B, we show that the known re- 
sults on small integer roots from [3,6,8] are special cases of our basic or extended 
strategy. Moreover, a detailed example for a specific polynomial is treated in the 
next section. 

3 A Bound Obtained with the New Strategy 

In this section we will give a novel analysis of a trivariate polynomial that will be 
used in two new attacks on RSA variants in the subsequent sections. 

Let f(x, y, z) = ao+aix+d 2 X 2 +a 3 y+aiZ+a$xy+aQXZ+aiyzbe a,\yo\ynovaidl 
with a small root with |a;( 0 )| < X,\y^\ < Y, |«W| < Z. We show 

that under Assumption 1 for every fixed e, all sufficiently small roots can be found 
in time polynomial in log W provided that 

1 7+9r+3r 2 (y^) 5 +|r < yyZ+Zr-e , 

where we can optimize r > 0 after the substitution of values for X, Y, Z, and W. 

Let us follow the extended strategy described in Section 2.2 to show how this 
bound can be obtained. Our goal is to construct two polynomials h i , with the 
root (x(°), y(°\ z(°)) that are not multiples of /. To do so, we fix an integer m 
depending on {, and an integer t = tto that describes the number of extra x- 
shifts. We define R = wX 2 ( m - 1 )+ t (YZ ) m ~ 1 and f = a^f mod R, The shift 
polynomials g and g' are given by: 

g : x' ll y Z 2 z Z 3 f'(x,y,z)X 2 ( ' m ~ 1 ^ +t ~' ll Y m ~ 1 ~ l 2 Z m ~ 1 ~' 13 for x ll y l 2 z 13 £ S, 
g 1 : Rx l ^y l 2 z 13 for x ll y Z 2 z Z3 £ M\S, 

for 

S = {Jo<j<t{ xn+J y t2zl3 I x n y l 2 z t3 is a monomial of / m-1 }, 

M = {monomials of x ll y l 2 z %3 ■ f \ x Zl y Z 2 z 13 € S'}. 

It follows that 

x n y l 2 z 13 £ S *2 = 0, . . . ,m — 1 ; 13 = 0 , . . . , m — 1 ; 

*i = 0 ,..., 2 (rn - 1) - (h + h) + 1 . 

x ll y l 2 z %3 £ M <*=> 12 = 0, . . . ,m ; *3 = 0, . . . , m ; it = 0, . . . , 2 m — ( 12 + *3) + t. 

All polynomials g and g' have the root (x ^ , ) modulo R. Let hi and /12 be 

linear combinations of the polynomials g and g' . As was explained in Section 2.2, 
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if hi and hi satisfy Howgrave-Graham’s bound \ \h t (xX, yY, zZ) \ | < -^=, then we 
can assume that hi and hi both have the root (fy°V;i/°b z^ 0 ' 1 ) over the integers, 
and also that they are algebraically independent of /. 

Using the coefficient vectors of g(xX, yY, zZ) and g'(xX, yY, zZ) as a basis, we 
build a lattice L. We order the vectors such that the matrix is triangular, with 
the diagonal entries of g equal to Z) rn ^ [ , and those of g' equal to 

RX^Y^Z^ = 

Now by (2), provided that n"=i Xj 3 < W^ s \ with sj = x *n eM\s U holds, 

the polynomials hi and hi corresponding to the shortest two LLL-reduced basis 
vectors satisfy Howgrave-Graham’s bound. This reduces to 

X ( I +3r+r 2 )m 3 +o(m 2 ) (y ^) ( | + |r )m 3 +o(m 2 ) < pjy(l+r)m 3 +o(m 2 ) _ 

If we let all terms of order o(to 2 ) contribute to e, the condition simplifies to 

W 7+9r+ 3'r 2 (yZ) 5+ 5 r < w 3+3r ~ e . 


4 Attack on RSA-CRT with Known Difference 

In this section, we explain how a small root of a polynomial f(x, y,z) = ao + a\X+ 
aix 2 + ao/y + (14Z + a$xy + a^xz + a?yz results in a new attack on a variant of 
RSA-CRT proposed by Qiao/Lam [17]. We show the following result. 

Theorem 1 (RSA-CRT with Fixed Known Difference d p — d q ) 

Under Assumption 1, for every e > 0, there exists no such that for every n > no, 
the following holds: Let N = pq be an n-bit RSA modulus, andp, q primes ofbitsize 
j. Let ed = 1 mod <f>(N), and d p and d q be such that d p = d mod (p — 1) and 
d q = d mod (q — 1). Assume that d p and d q are chosen such that d p = d q + c for 
some known c and bitsize(d p ), bitsize(d q ) < Sn for some 0 < 5 < Then N can 
be factored in time polynomial in log N provided that 

S< i(4-v / 13)-e. 

Notice that |(4 — \/l3) ~ 0.099. Hence, our attack applies whenever d p or d q is 
smaller than jV 0 099-6 and the difference c= d p — d q is known to an attacker. 

4.1 RSA-CRT with Known Difference d p — d q 

In 1990, Wiener [19] showed that choosing d < N* makes RSA insecure. As an 
alternative, Wiener suggested to use the Chinese Remainder Theorem (CRT) for 
the decryption phase of RSA: Instead of computing m = c d mod N for some 
ciphertext c, compute mi = c dp mod p and mi = c dq mod q and then combine 
these results using CRT to obtain to. Wiener pointed out that both exponents 
d p = d mod (p — 1) and d q = d mod (q — 1) could be chosen small to obtain a 
fast decryption. Then usually e is of the same size as the modulus N. 
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Qiao and Lam [17] proposed to use d p and d q such that d p — d q = 2 in their 
method for fast signature generation on a low-cost smartcard. For the size of d p 
and d q , they suggest 128 bits to counteract the birthday attack that they describe 
in [17]. Moreover, they state that 96 bits should be enough to counteract this at- 
tack in practice. In current proposals, a minimum of 160 bits is advised for the 
private exponents to counteract the birthday attack. 


4.2 Description of the New Attack 

When d p — d q = c, the public and private variables of RSA-CRT satisfy the fol- 
lowing relations. 


( ed p = 1 + k(p — 1), 
\ e(d p - c) = 1 - l(q 1), 


. . , . f ed p - 1 + k = kp, 

or equivalently < , _ , , , . 

J \ edp - ce - 1 + l = Iq. 


Multiplying the two equations results in 


(1 + ce) — (2e + ce 2 )d p + e 2 d 2 — (ce + 1 )k — l + ed p k + ed p l + (1 — N)kl = 0, 
in which the unknowns are d p , k, and l. We can extract from this equation that 
f(x, y, z) = (1 + ce) — (2e + ce 2 )x + e 2 x 2 — (ce + l)y — z + exy + exz + (1 — N)yz 


has a small root (d, k, l). From (d, k, l ), the factorization of N can easily be found. 
Suppose ma x.{d p ,d q } is of size N s for some S £ (0, ^). Then k and l are both 
bounded by N s+ 2 (here we omit constants and let these contribute to the error 
term e). Therefore, we put X = N s , Y = Z = N 5+ Y and W = N 2+25 . 

In Section 3 we showed that for this polynomial, the asymptotic bound is 

1 7+9T+3T 2 (y Z )5+|r < W 3+3t, 


where r > 0 can be optimized. Substituting the values for X, Y, Z, and W, we 
obtain 


(7 + 9r + 3 t 2 )6 + (5 + |r)(25 + 1) - (3 + 3r)(2<5 + 2) < 0, or 
3<5 t 2 + 3(45 - i)r + (115 - 1) < 0. 

For the optimal value r = 2 2 $ 5 , this reduces to 5 < |(4 — \/l3) 0.099. 

Therefore, for a 1024 bit modulus N, the system should be considered unsafe 
when d p is at most 0.099 • 1024 rts 101 bits. This breaks the system of Qiao and 
Lam for the proposed 96 bit exponents in time polynomial in the bit-size of N. 

We can add an exhaustive search on the most significant bits of d p and try the 
attack for each candidate for d p . Here, d p = d p + do, where the unknown part of d 
is do- The corresponding polynomial / will change, but it will still have the same 
monomials. Therefore, the analysis will follow easily. The proposal of Qiao and 
Lam to use 128 bit private exponents can also be considered unsafe when applying 
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such an extra exhaustive search, although performing such an attack may be costly 
in practice. 

We performed several experiments to test the validity of Assumption 1 and to 
show which results can be achieved with relatively small lattices. We implemented 
the new attacks on a 2.4GHz Pentium running Linux. The LLL lattice reduction 
was done using Shoup’s NTL [18] . For the attack on RSA-CRT with known dif- 
ference described in Section 4, the parameters d p . d q were chosen with difference 
d p — d q = 2 as suggested in the Qiao-Lam scheme. For to = 2 the choice t = 8 
maximizes the size of the attackable d p . 


N 

d p 

lattice parameters 

LLL-time 

1000 bit 

10 bit 

to = 2, t = 3, dim = 54 

32 min 

2000 bit 

22 bit 

to = 2, t = 3, dim = 54 

175 min 

3000 bit 

42 bit 

to = 2, t = 3, dim = 54 

487 min 

4000 bit 

60 bit 

to = 2, t = 3, dim = 54 

1015 min 

5000 bit 

85 bit 

to = 2, t = 3, dim = 54 

1803 min 

500 bit 

9 bit 

to = 2, t = 8, dim = 99 

105 min 

1000 bit 

18 bit 

to = 2, t = 8, dim = 99 

495 min 

500 bit 

13 bit 

to = 3, t = 3, dim = 112 

397 min 


In each experiment we obtained two polynomials hi(x,y,z),h 2 (x,y,z) with the 
desired root (x^°\y^°\z^). Solving g(z) = Res y (Res x (hi, /),Res x (/i2, /)) = 0 
yielded the unknown z^°\ The parameters y <0> and x <0 > could be obtained by back 
substitution. The resultant heuristic of Assumption 1 worked perfectly in practice. 
For every instance, we could recover the secrets and hence factor N. 

One should note that our experiments are quite far from solving the proposed 
96-bit d p , d q instances of the Qiao-Lam scheme. Theoretically, the smallest to for 
which one obtains the 96-bit bound is m = 61 together with t = 36, resulting in 
a lattice dimension of 376712. Reducing lattice bases in this dimension is clearly 
out of reach. 

However, we would like to point out that we did not optimize the performance of 
our attack. For optimization of the running-time, one should combine brute-force 
guessing of most significant bits of d p with the described lattice attack. Moreover, 
one should apply faster lattice reduction methods like the recently proposed L 2 - 
method of Nguyen, Stehle [16] . Additionally, a significant practical improvement 
should be obtained by implementing Coppersmith’s original method instead of 
Coron’s method, since in Coppersmith’s method one has to reduce a lattice basis 
of smaller dimension. 

5 New Attack on Common Prime RSA 

In this section, we explain how a small root of a polynomial f(x, y, z) = ao + a\x+ 
d 2 X 2 + d3 y + 0.42 + a$xy + a^xz + a-jyz results in a new attack on a variant of RSA 
called Common Prime RSA. We show the following result. 
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Theorem 2 (Common Prime RSA) 

Under Assumption 1, for every e > 0, thereexistsno suchthat for every n > no, the 
following holds: Let A = pq be an n-hit RSA modulus, and p, q primes of bitsize 
j such that p — 1 = 2ga and q — 1 = 2 gb, for some prime g of bitsize 7 n, with 

0 < 7 < Let ed= 1 mod 2 gab, with bitsize(e) = (1 — 7 )n and bitsize(d) = Sn, 
with 0 < S < (1 — 7 )n. Then d can be found in time polynomial in log A provided 
that 

6 < - (4 + 47 — -\/l3 + 2O7 + 47 s ) — e. 

5.1 Common Prime RSA 

In Section 4, we mentioned that a small d is unsafe in Wiener’s attack [19]. There- 
fore, RSA-CRT is often used when efficient decryption is needed. However, there is 
also a possibility to choose d < jV< in RSA while avoiding Wiener’s attack. There 
is a variant of RSA where Wiener’s attack works less well, as was already shown 
by Wiener, namely when gcd(p — 1 , 7 — 1 ) has a large prime factor. Lim and Lee 
used this fact in a proposal [12], which was attacked a few years later by McKee 
and Pinch [15]. Recently Hinek [9] revisited this variant, calling it Common Prime 
RSA, and investigated its potential and its weaknesses. 

In Common Prime RSA, we have N = pq for primes p and q such that p = 2 ga+ 

1 and q = 2gb + 1, for g a large prime, and a, b coprime integers. The exponents 
e and d are mutually inverse modulo lcm (p — 1 ,q— 1) = 2 gab: 

ed = 1 + k ■ 2gab, with 0 < e, d < 2 gab. 

The goal is to safely choose an exponent d < Ai, which enables a fast RSA 
decryption process. We set g = A 7 and d = N s for some 0 < 7 < tj, 0 < <5 < 1 —7. 
Then, e is of size A 1-7 , k is of size N s , and a and b are both of size A? 1 . 

A large number of security issues were addressed in [9] . After excluding all pa- 
rameter choices of Common Prime RSA that should be considered unsafe by the 
known attacks, Hinek concludes that there are still plenty of safe choices for d = 
N s with 6 < \ (see Fig. 1). 

5.2 Description of the New Attack 

An improved attack can be obtained by treating the equation in Hinek’s second 
lattice attack in a different way. In his attack, Hinek starts by multiplying the 
following two equations: 

ed = 1 + k(p — 1)6, ed = 1 + k(q — 1 )a. 

This can be written as e 2 d 2 + ed(ka + kb—2)— (A — 1) k 2 ab — ( ka + kb—l) =0. 
Next, he uses the fact that the polynomial f(x, y, z, u) = e 2 x + ey — (A — 1 )z — u 
has a small root (d 2 , d(k(a + b — 2)),k 2 ab, (ka + kb— 1)). This leads to the bound 
6 < |q, for which the secret information can be revealed. 
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Now let us take another look at the equation 

e 2 d 2 + ed(ka + kb — 2) — ( ka + kb—l) — (N — 1 )k 2 ab = 0, 

in which the unknowns are d, k, a and b. We can extract from this equation that 
the polynomial f(x, y, z ) = e 2 x 2 + ex(y + z — 2) — (y + z — 1) — (N — 1 )yz has 
a small root ( d,ka,kb ) with X = N S ,Y = N s+ i~ 7 , Z = N s+ ?~ 7 . Moreover, 
W = JV 2 + 25_2 t'. 

Substituting these in the asymptotical bound X 7+9t+3t2 (YZ) 5+ % t < W 3+3t 
from Section 3 yields 

3 6t 2 + 3(45 ~\~1 )r + (115 - 1 - 4 7 ) < 0. 

For the optimal r = ?+ ^ 4lS , this reduces to 5 < |(4 + 4 7 — i/l3 + 20q + 4 7 2 ). 

Fig. 1 shows the new attack region as well as the known attacks, for any size of 
modulus N. Combinations of d and g that should be considered unsafe by the new 
attack are in the dark shaded area, whereas the lighter shaded area was already 
unsafe by the known attacks. It can be seen that the number of ’safe’ combinations 
{d, g} with d < N* has significantly decreased. 



We note that for ’small’ N (such as the regular 1024 bits), other attacks such as 
factoring attacks may apply, see [9] . Also, depending on the size of N, the attacks 
in the figure could be extended by an additive exhaustive search. 

We performed experiments to check the validity of Assumption 1 and to demon- 
strate the practicality of our attack. We have implemented the new attack for 
the parameter setting to = 2, t = 0 (without the possible additional exhaustive 
search), to give an impression on what a realistic bound is for the smallest lattice 
possible. Of course, extending to to = 3, to = 4, etc. and usin g .r-sliifts will gi ve re- 
sults closer to the theoretical attack bound 5 < l(4 + 4 7 — ^13 + 20 7 + 4 7 2 ), but 
will also result in a longer time needed for the lattice basis reduction. For to = 2, 
t = 0 the reduction time (the longest part of the attack) is about one minute. 

The following table summarizes the experimental results performed for to = 2, 
t = 0, and log 2 (iV) = 1024. As one can see, the results are already outside the 
asymptotical range of the two other lattice attacks described in [9]. 
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7 

maximal 5 
(asymptotic) 
new attack 

obtained 6 
(to = 2, t = 0) 
new attack 

maximal 6 
(asymptotic) 
known attacks 

0.10 

0.130 

0.07 

0.20 

0.20 

0.164 

0.10 

0.15 

0.30 

0.200 

0.13 (*) 

0.12 

0.40 

0.237 

0.17 (*) 

0.16 

0.50 

0.275 

0.2 

0.25 


The resultant heuristic of Assumption 1 worked perfectly in most cases. How- 
ever, in the rare situation that both 6 and 7 were very small (e.g. 7 = 0.1 and 
S = 0.05), we encountered cases where some of the polynomials hi were alge- 
braically dependent. In these cases, we could still recover the secret information 
in two different ways. One way was to use combinations of hi and the somewhat 
’larger’ hi for i > 2, instead of only hi and /i2- The other way was by examin- 
ing the cause of the zero resultant. In essence, Res 3/ (Res a; (/ii, /), Res x (/i2, /)) = 0 
because Res x (hi , /) and Res x (/12 , /) have a common polynomial factor, whose co- 
efficients immediately reveal the secrets. 

Acknowledgements. We thank Benne de Weger, Arjen Lenstra, Jason Hinek, 
and the anonymous reviewers for their helpful comments. 
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A Small Modular Roots, Known Results 

In this appendix, we give the known results for finding small modular roots [1,2,6] 
that can also be obtained by following the new strategy. Due to limited space, 
we only give the definitions of Mk that reproduce the known bounds. In all cases 
where the extended strategy is used, we use the notation t = rm for some r > 0 
that can be optimized later. 

Boneh/Durfee [1]: Jn(xi,X 2 ) = ao + a\X\ + CL 2 X 1 X 2 

The bound Xf +3r X] +3r+3r < jV 1+3r can be found with the extended strategy 

using x^x^ £ Mk 4=> ii = k , . . . , to; *2 = k , . . . , i\ + t 

B15mer/May [2] : /jv(xi, X 2 , X 3 ) = ao + aixi + 02X2 + 03X2X3 

The bound X^ + 4 t X 2 + 4 t X^ +4t+6t < N 1+4t can be found with the extended 

strategy, with x^ 1 X2 2 X3 3 £ i\= fc, . . . , m; *2 = 0, . . . , m— i \\ *3 = 0,... } i 2 +i. 

Generalized Rectangle (generalization of a bound of Coppersmith [6]): 

/n(x 1, . . . , x„) is a polynomial such that the degree of x, is X t D. 

The bound X * 1 ■ ... ■ X* n < N can be obtained with the basic strategy 
using xf • . . . • xjj n £ Mk ij = XjDk , . . . , A jDm (for j = 1, . . . , n) 

Generalized Lower Triangle (generalization of a bound of Coppersmith [6]): 
f N (xi, ■ ■ ■ , x n ) is a polynomial with monomials x] 1 . . . for 1 1 = 0, . . . , Ai D, 
*2 = 0, . . . , A 2 D - j£*i, *n = 0 < X n D — 

The bound X * 1 ■ ... ■ X* n <JV® can be obtained with the basic strategy, with 
xl 1 ■ . . . ■ x l " £ Mk <*=> *i = Ai Dk , . . . , XiDm ; ij = 0, . . . , A jDm — ^=1 (f° r 
j = 2, . . . ,n). 
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B Small Integer Roots, Known Results 

In this appendix, we give the known results for finding small integer roots [3,8,6] 
that can also be obtained with the basic or extended strategy. Due to limited space, 
we only give the definitions of S and M that reproduce the known bounds. In all 
cases where the extended strategy is used, we use the notation t = tto for some 
r > 0 that can be optimized later. 

Blomer/May, Upper Triangle [3]: 

f(x i, a: 2] is a polynomial with monomials x ] 1 for i\ = 0 . . . D, i 2 = 0 . . . \i- 2 - 
The bound x} A+T ^ X ^ A+r ^ < w^( x+2t ' ) can be obtained with the extended 
strategy, with x 1 ^ • . . . • x l ™ £ S i 2 = 0, , D(m — 1); i\ = 0, . . . , + t, 

and • . . . • eM»!2 = 0,..., Dm\ i\ = 0, . . . , Xi 2 + 1 . 

Blomer/May, Extended Rectangle [3]: 

f(x 1, X 2 ), with monomials x^ x^ for *2 = 0, ... , D,i\ = 0, . . . , 7_D+A(.D— *2), e.g. 
f(x 1,2:2) = ao + aixi + d 2 x\ + azx\ + a±X 2 + a$x\X 2 (where D = 1,7 = 1, A = 2). 
The bound X A 2 +37A+2rA+4r 7 +r 2 +3 7 2 x A+3 7 +2r < w ^ { X + 2 j+ 2 r) can be obtained 
with the extended strategy, using a:] 1 aj| a £ S i 2 = 0, . . . ,D(m — 1); i\ = 
0, . . . , 7 _D(to— 1) + \{D{m— 1) —i 2 ) + t, and x^x^ £ M i 2 = 0, . . . , Dm-, i\ = 
0, . . . , 7 Dm + X(Dm — i 2 ) + 1 . 

Ernst et al. 1 [8]: f(x i,x 2 ,xs) = ao + aixi + 02^2 + ( 13 X 2 X 3 . 

The bound X] + 3 T X;; + 3 T X \ + 3 r + 3 T < 1 T 1+3t can be found with the extended 
strategy, with x^x^x^ £ S <=> i\ = 0, ...,m— 1;*2 = 0, . . . ,m — 1 — 

*3 = 0, . . . ,i 2 +-f, and x^x^x^ £ M i\ = 0, . . . , m; i 2 = 0, . . . , m — i \\ *3 = 
0, . . . , i 2 + t. 

Ernst et al. 2 [8]: f(x i,x 2 ,X 3 ) = ao + aixi + a 2 x 2 + 032:3 + a^x 2 X 3 . 

The bound X 2+3 t X| + 3 t X| +6t+3t < lU 2+3r can be found with the extended 
strategy, using x^x^x 1 ^ £ S i\ = 0, . . . , m — 1; i 2 = 0, . . . , m — 1 — ii + 1; *3 = 

0, m - 1 / 1 . and x^x^x 1 ^ £ M i\ = 0, . . . , m\ i 2 = 0, . . . , m — i\ + t; *3 = 

0, . . . , m — i\. 

Generalized Rectangle (generalization of a bound of Coppersmith [6]): 
f(xi, • ■ • , x n ) is a polynomial where the degree of Xi is X,D. 

The bound X Al • . . . • X Xn < W W‘) D can be found with the basic strategy, with 
x^x^ . . .x z " £ S ij = 0, . . . , XjD(m - 1), and x^x ^ 2 . . . x% £ M ij = 
0, . . . , XjDm (for j = 1, . . . , n). 

Generalized Lower Triangle (generalization of a bound of Coppersmith [6]): 
f(x 1, . . . , x n ) is a polynomial monomial are a :] 1 . . . a/” for 0 < i\ < X\D, 0 < i 2 < 
X 2 D — • • • 1 0 2 in 5: A n D — X L * r " 

The bound X Al • . . . • X An < W t> can be found with the basic strategy, with 
x^x^ ■ . . x % ™ £ S ij = 0, . . . , XjD(m — 1) — Y^ J r =\ an< ^ x i ~ x 2 ■ ■ ■ X ti e 
M <=*■ ij = 0, . . . , XjDm — X]r=i ^ or J = 1) • • • > n). 
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Abstract. Understanding what construction strategy has a chance to 
be a good hash function is extremely important nowadays. In TCC’04, 

Maurer et al. [13] introduced the notion of indifferentiability as a gen- 
eralization of the concept of the indistinguishability of two systems. In 
Crypto’2005, Coron et al. [5] suggested to employ indifferentiability in 
generic analysis of hash functions and started by suggesting four con- 
structions which enable eliminating all possible generic attacks against 
iterative hash functions. In this paper we continue this initial suggestion 
and we give a formal proof of indifferentiability and indifferentiable at- 
tack for prefix-free MD hash functions (for single block length (SBL) hash 
and also some double block length (DBL) constructions) in the random 
oracle model and in the ideal cipher model. In particular, we observe that 
there are sixteen PGV hash functions (with prefix-free padding) which 
are indifferentiable from random oracle model in the ideal cipher model. 

1 Introduction 

The notion of indifferentiability was first introduced by Maurer et al. [13] and 
is a stronger notion than indistinguishability. For example, assume a cryptosys- 
tem V(Q) based on a random oracle Q is secure. Now, to prove the security of 
ViH^) based on Merkle-Damgard (MD) hash function H where the underlying 
compression function is a random oracle, we need to prove something different 
than indistinguishability. In fact, we need to prove that H ^ is indifferentiable (as 
was introduced in [13]) from a random oracle. Informally, is indifferentiable 
from random oracle if there is no efficient attacker (or distinguisher) which can 
distinguish T and the hash function based on it from a random oracle R and 
an efficient simulator of T . Here R is a random oracle with (finite) domain and 
range same as that of H. In case of Indistinguishability, the distinguisher only 
needs to tell apart H from Q without any help of oracle T . Thus, the notion 
of indifferentiability is important when we consider attacks on a cryptosystem 
based on some ideal primitive where the attacker has some access on the com- 
putation of the primitive. In the case of hash function , the attacker can also 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 283-298, 2006. 
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compute T as it is a random oracle which can be computed publicly. So this 
new notion is important for stronger attackers. If the attacker does not have 
that access (to the random oracle) then merely indistinguishability will suffice 
to preserve the security of the cryptosystem. 

Recently, Coron et al. [5] suggested to employ the notion for analysis of hash 
functions and they proved that the classical MD iteration is not indifferentiable 
with random oracle when the underlying compression function is random ora- 
cle. They have also stated indifferentiability for prefix-free MD hash functions 
or some other definition of hash functions like HMAC, NMAC, chop-MD hash 
function. They also have stated indifferentiability for Davis-Meyer construction 
(which is one of the classical PGV construction [17]) in the ideal cipher model. 
Our Results: In this paper we extend the use of indifferentiability in analyzing 
hash functions, and we present a proof methodology for determining indifferen- 
tiability. We discuss indifferentiability of several known hash constructions with 
the random oracle model including the prefix free MD hash function. We con- 
sider all collision secure PGV hash functions in the ideal cipher model [2] (there 
are twenty such hash functions). It is easy to check that under ideal cipher 
model the underlying compression function is not indifferentiable with random 
oracle. So we can not use the indifferentiability result directly for prefix-free MD 
hash function (where we need the underlying compression function as a ran- 
dom oracle). But we will show that out of twenty, sixteen hash functions with 
prefix free padding are indifferentiable from random oracle. We also prove the 
indifferentiability of some known Double length hash functions in the random 
oracle model for the underlying single length compression function. Finally, we 
will also show several differentiability attacks on block-cipher based on double 
length hash function namely, PBGV, LOKI-DBH, MDC2 etc. 

Organization: The organization of this paper is as follows. In section 2, we 
define notations and describe the security notion of indifferentiability with some 
mathematical background and notations which will help to prove the security 
later. In section 3, we provide formal proofs of prefix-free single length MD 
hash functions, PGV hash functions, and double length hash function. Then, in 
section 4, we show the differentiability of some SBL and DBL hash functions. 
Finally we conclude. 

2 Preliminaries and Related Work 

In this section, we briefly describe random oracle and ideal cipher model and 
we review how the adversary works in these model. Then some designs of hash 
functions are stated. 

2.1 Ideal Model and Iterated Structure 

Random Oracle Model: / is said to be a random oracle from X to Y if 
for each x £ X the value of f(x) is chosen randomly from Y. More pre- 
cisely, Pr[/(x) = y | f(x i) = yi,f(x 2 ) = y 2 ,...f(x q ) = y q ] = where 
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x £ {xi , . . . , x q }, y,yi, ■ ■ ■ ,y q e Y and \Y\ = M. There is an equivalent way to 
look a random function: Consider Map(X — > Y), the set of all mappings from 
X to Y. f is said to be a random oracle if it is chosen uniformly from the set 
Map(X — > Y). The adversary A can only query / adaptively, say by inputting 

xi - x q , where q is the total number of queries. Let y \ , ■ ■ ■ y q be the responses of 
these queries, i.e., f(x i) = yi, • • • , f(x q ) = y q . Since an adversary makes queries 
adaptively, the i th query ay only depends on previous query-responses (in short, 
q-r) (aq, 2 /i), • • • , (ay_i, yi-i) and on the random coins selected by the adversary. 

Ideal Cipher Model: Ideal cipher model is the one dating back to Shannon [19] 
and used, e.g., in [7,10,20]. Let Bloc(/C,X) = {E : JC x X ^ X:E(k,-) is a 
permutation for each k G 1C}. As above, a function E is chosen uniformly from the 
set Bloc(/C, X). As E{k,-) (we also use the notation E k {-)) is a permutation, an 
adversary A can have access to two oracles E and E~ x . Thus, the q-r’s look like 
(ui, ki,xi,yi), ■ ■ ■ ,(o q ,k q ,x q ,y q ), where u* = ±1 and E ki (xi) = y*, i < i < q. 
If <7i = 1 then adversary makes E query with input (ki,x l ) and response is 
yi and if cr, = —1 then adversary makes E~ x query with input (fc,;,y,j and 
response is x t . Now one can check that, for each k, E k (-) behaves like a random 
permutation (i.e., Pr [E k (x) = y \ E k (x i) = yi, . . . , E k (x q ) = y q ] = where 
x £ {xi, . . . , x q }, y £ {yi, • • • , y q } C Y and |F| = M) and for different choices of 
keys ki , . . . , fcj, E kl E kl (•) are independently distributed. See [2] for more 

details and discussions about black-box models. 

Iterated Hash Function: Now given a function F :YxB —>Y, one can define 
an iterated function F* :Y x B* —>Y as follows : 

F*(x, mi, m 2 , ■ ■ ■ , mi) = F(- ■ ■ F(x, mi), • • • e B,x GY 

where B* = Uj>o-B*. Let At be a message space (finite) and g : M. B* 
be any function called a padding rule. Then the MD-Hash function based on 
a compression function F, a fixed initial value IV g Y and a padding rule y(-) 
is MDj(Af) = F*{\y, g(M)). A padding rule is called a prefix-free if M\ ± 
M 2 => g(M{) is not a prefix of giM-i). Coron et al. [5] considered prefix-free MD 
iteration and suggested indifferentiability from random oracle model. 

Given a compression function F : Y x B — > Y, one can also define a wide 
compression function W : Y' x B' — > Y' , where Y' is a bigger set than Y. 
For example, in case of a double length compression function Y' = Y x Y. 
An example of a general class of double length compression functions due to 
Nandi [15] is as follows : W(xi,X 2 ,m) = F(x 1 || X 2 ,m) || F(p(x 1 || X 2 ),m), 
where x k ,X 2 € Y,m £ B',F : Y x (Y x B') —* Y and p is a permutation on 
7x7 so that it does not have any fixed point (y is called fixed point of p if 

p(y) = y)- 

2.2 Known Results on Indifferentiability 

In this section we give a brief introduction of indifferentiability and state some 
known results on it. 
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Definition 1. [5] A Turing machine C with oracle access to an ideal primitive 
T is said to be (to, ts, Q, e) indifferentiable from an ideal primitive Q if there 
exists a simulator S such that for any distinguisher D it holds that : 

|Pr [D 0 ^ = 1] - Pr [D d ’ s = 1} < e 

The simulator has oracle access to Q and runs in time at most tg. The distin- 
guisher runs in time at most to and makes at most q queries. Similarly, G T is 
said to be (computationally) indifferentiable from Q if e is a negligible function 
of the security parameter k (for polynomially bounded tn and ts). 

In this paper, we will mainly consider C = , where H is MD (or prefix-free 

MD) hash function based on the random oracle model (or ideal cipher model) T 
and Q is a random oracle with same domain and range as the hash function. In 
case of ideal cipher model the distinguisher can access both T and oracles 
and the simulator has to simulate both. 

The following Theorem [13] due to Maurer et al. is related to this paper. We 
explain the theorem for random oracle model of hash functions. Suppose a hash 
function (in some design of iteration) H based on a random oracle (or an ideal 
cipher) T is indifferentiable from a random oracle Q. Then a cryptosystem V 
based on the random oracle Q is at least as secure as the cryptosystem V based 
on the hash function H in the random oracle model (or an ideal cipher model) 
T. Here, T is the underlying compression function of H (or block-cipher in case 
of block cipher based hash function). The original theorem as stated below is a 
more general statement. 

Theorem 1. [13] Let V be a cryptosystem with oracle access to an ideal prim- 
itive Q. Let H be an algorithm such that H ^ is indifferentiable from Q. Then 
cryptosystem V is at least as secure in the T model with algorithm H as in the 
Q model. 

Coron et al. stated the indifferentiability of prefix free MD construction in ran- 
dom oracle (or in ideal cipher model in the case of block-cipher based construc- 
tion). In [5] the following theorems are stated. 

Theorem 2. [5] The prefix-free MD construction is (to, ts, q, s) -indifferentiable 
from a random oracle, in the random oracle model for the compression function, 
for any to, with ts = £• 0(q 2 ) and e = 2~ n ■ t 2 ■ 0(q 2 ), where i is the maximum 
length of a query made by the distinguisher D. 

Theorem 3. The Davis-Meyer Hash function (based on the compression func- 
tion f(x,m) = E m (x) ® x and a prefix free padding g) MD^ g is (toffs, q,s)- 
indifferentiable from a random oracle, in the ideal cipher model, for any to, 
with ts = l- 0(q 2 ) and e = 2“" • i 2 ■ 0(q 2 ), where l is the maximum length of a 
query made by the distinguisher D. 

2.3 Adversary in the Random Oracle Model 

A binary relation 1Z on (X x B, X ) is a subset of X x B x X. A relation is called 
functional relation (or partial functional relation) if for each (x,m) £ X x B there 
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exists at most one y £ X such that ( x,m,y ) £ 1Z. Thus, a partial functional 
relation is uniquely characterized by a partial function / : X x B —> X (a partial 
function may have some points on domain where the functional value is not 
defined). Now given a relation 7Z on (X x B) x X, one can define a functional 
closure relation 1Z* on ( X x B*) x X which is a minimal relation containing 7 Z 
such that following are true: 

1. (xi,M 1 ,x 2 ), (x 2 ,M 2 ,x 3 ) £ 1Z* => (xi,Mi || M 2 ,x 3 ) £ 1Z* . 

2. (xi,Mi \\ M 2 ,x 3 ), (aq, Mi, x 2 ) £ 1Z* => (x 2 , M 2 , x 3 ) £ 1Z* . 

Thus, if 1Z corresponds to a partial function / : X x B — > X, then 1Z* 
corresponds to the partial function /* which is obtained from the partial function 
/ iteratively. Sometimes, we use a more appealing notation aq — »Mi x 2 £ 1Z 
(or xi — *Mi x 2 when the relation is clear from the context) to denote that 
(aq, Mi, £ 2 ) € 1Z*. Thus, in terms of this notation, 7 Z* is the minimal relation 
containing 7Z with the following conditions: 

1. If aq — >Mi x 2 — >m 2 £ 3 , then aq —>m 1 \\m 2 x 3 (transitive property). 

2. If x 1 — > Mi x 2 and aq — »Mi||m 2 x 3 , then x 2 — »m 2 x 3 (substitute property). 

Let D be a distinguisher (or an adversary) in the indifferentiable attack. He has 
an access to two oracles 0 1 and 0 2 . In this scenario, either (O-y , 0 2 ) = (H, f) or 
(Oi, 0 2 ) = (Rand, S), where H = MD^ (prefix free MD hash function with fixed 
initial value IV), S is any simulator, / and Rand are random oracles from X x B 
to X and from Xi to X respectively. Distinguisher is making successive queries 
of 0\ or 0 2 . Suppose the i th query is an 0\ query with the message M £ Xi and 
the response of the query is h (say), then we write r, = IV —> g (M) h. Otherwise, 
ri = hi —> m h 2 for 0 2 query (hi,m) with response h 2 . Let 7 Zi = {n,--- ,ri} 
be the relation characterizing the query-response after the i th query and 1Z* be 
the functional closure of 7 Zi characterizing the view of the distinguisher after 
i th query. Thus, Q = (7Zi , 7Z 2 , • • • ,7 Z q ) be the complete query-response tuple 
and V = {TZ\,TZ^, ■ ■ ■ , 71*) be the complete view of the distinguisher D, where 
q is the total number of queries. Now we define some terminology which will be 
useful in this context. 

1. Define support of a relation IZi by a subset of X, Supp(7?.,;) = {h : h —> m 
hi £ IZi} U {h : hi — > TO h £ IZi} U {IV}. Note that, Supp(7£j) = Supp(7£*). 

2. We say, r,; is a trivial query if r, £ TZ*_ 1 . Since g is a prefix-free padding, r t 
can be trivial query only if any one of the following holds : 

(a) r$ = IV —> g (M) he, where IV = ho — > TOl hi — > m2 . . . he - 1 -» m( he £ TZ*_i 
and g(M ) = mi || . . . || me . 

(b) r* = he - 1 he, where IV = ho —> mi hi —> m2 ■ ■ ■ he-i, IV —> g (M) he € 
7 Z*_ 1 and g(M) = m-i || ... || me- 

(c) Ft is a repetition query i.e. r,; = r, for some j < i. For simplicity, we can 
assume that there is no repetition query as distinguisher’s point of view 
it doest not help anything. 

3. We say V is not collision free (or in short -> CF) if for some i, r, = h —>m h! 
is non trivial and h! £ Supp(7?.j_i) U {h}. 
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3 Security Analysis 

In this section, we explain how to obtain a formal proof of indifferentiability of 
prefix-free single length or double length or block-cipher based MD hash func- 
tions. Let E be an event which is only a function of the view of the distinguisher. 
In this case we consider complement of the collision- free event (-1 CF). Thus, 
there are events Ei and E2 for E when D interact with ( H,f ) and (Rand, S'), 
respectively. If this event is defined carefully so that 

1. (H, /) and (Rand, S) are identically distributed conditioned on the past view 
of the distinguisher and E does not occur, and 

2. if Pr[£i], Pr[£?2] < max, where max is some negligible function. 

Because of item 1, Pr [D H 'f -» 1 | Ei] = Pr [D R ’ S -> 1|-.E 2 ]. Then, one can 
show the indifferentiability of H with the random oracle model. More precisely, 

Ad v(D) = | Pr [D hj ->1]- Pt[D r ’ s -» 1] | 

= | Pt[D hj — »■ 1 | Ei] x Pr[E x ] + Pr [D HJ 1 | ^Ei] x Pr[-iEJ 
-Pr[D H ’ s -* 1 | E 2 ] x Pr[E 2 ] - Pr[D R - s 1 | ^E 2 ] x Pr[ .E 2 ] | 

< max x | Pr [D HJ — ► 1 | E x ] — Pr[D fl - s -» 1 | E 2 ] | 


+Pr [D hj -► 1 | -,E] 

} x | Pr[-i Ex] - Pr[— 1 E 2 ] | 

(1) 

= max x | Pr [D HJ : 

1 | Ex] - Pr[D fl - s —v l | E 2 ] 1 


4-Pr [D H 't -+ 1 | -nE] 

L ] x | Pr[Ex] — Pr[Ea] | 

(2) 

< max x Pv[D H ’f — > : 

1 lExl-Pr^^l |E a ] | 


• «#|-max x Pr [D H ’ f —> 

1 h&a 



< 2 x max 


In (1), Pr [D H ’f — 1 Ei] = Pt[D r ’ s -> 1|-.E 2 ] and in (2), Pr[^ E 2 ]-Pr[-» Ei] - 
Pr[Ei] — Pr[E 2 ]. Thus we have, 

Ad v(£>) < 2 x max{Pr[Ei], Pr[E 2 ]} (3) 

Similarly, if H is based on the block cipher E, we have three set of oracles 
(H E , E, E~ x ) or (Rand, S, S _1 ). Then we can proceed as like above. 

3.1 Indifferentiability of Prefix Free Single Length MD Hash 
Functions 

Now we define a simulator S which simulates / so that no distinguisher can 
distinguish (R, S ) with (H, /), where R and / are assumed to be random oracles 
and H is the prefix-free hash function based on /. 
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Simulator: The simulator keeps the relations (Hi, ■ ■ ■ , Hi- 1 ). Initially, Ho = 0. 
On the < th query (hi, Xi), the response of S is as follow 

1 If 3 IV — * n hi G Hi-i,g(M) = N || a q, then run Rand(M) and obtain the re- 
sponse h* .Hi = Hi-iL){hi —> Xi h*} and return h*. For more than one choices 
of M, return a random string h* (this will never happen if (Hi , . . . , H q ) is 
collision- free). 

2. Else return a random string h* and Hi = Hi-i U {h, —> Xi h*}. 

If distinguisher is making at most q queries then one can design the above 
simulator so that it runs in time 0(lq). In the worst case, simulator has to back 
track to initial value to check whether condition (1) is satisfied or not and this 
is needed at most 0(£q) time. Note that in [5] time complexity for simulator is 

<W). 

Distribution of oracles: Here, we study the conditional distribution of all 
oracles given the past view of the distinguisher and the collision-freeness of the 

Let Qi be the set of all query-response after i queries. Let CFi and CF 2 denote 
that the complete view V is collision free (CF) in case of (H, f) and (Rand, S') 
queries, respectively. Given Qi- 1 ACF, the i th query r,; is a trivial query in (H, /) 
if and only if so is in (Rand, S) and the response of the trivial query is uniquely 
determined by the previous view. So, output of H or S is same as output of 
Rand or S respectively. So assume that r,; is not a trivial query. 

Lemma 1. Given Qi- 1 A CF, the conditional distribution of H, /, Rand and S 
on i th query (hi,x{) is uniformly distributed on the set X \ (Supp(Hi-i) U {hi}) 
provided it is not a trivial query (hi = IV for Oi oracle query). 

Proof. In case of Rand and S, as CF 2 is not true the output is drawn randomly 
outside the set Supp(7?.,_i)U{/q}. In case of Rand query M, since is a nontrivial 
query, Rand(M) hash has not been queried before even by the simulator. So, 
condition on CF 2 the distribution of Rand(M) is uniformly distributed on the 
set X \ (Supp(7?.,;_i) U {IV}). In case of S query (hi,Xi) query, the output is not 
random only if it is trivial query (where the case (1) of the simulator occurs 
and for the corresponding message M Rand(M) has been queried before by the 
distinguisher). So it is true for both Rand and S. Now we will prove it for H. 

Let Si = Supp(7£,_i) U {hj}. If we can prove that for all a ^ a' £ Si, 
Pr [H(M) = a \ Qi - 1 A CF X ] = Pr [H(M] = a' \ Qi - 1 A CFi] then we are done 
since for all other choices of a the probability is zero because of condition of CFi. 
Given a and o', Let A = {/ : X x B — > X : H f (M ) = a A / satisfies Qi- 1 }. 
Similarly define A' for a'. Now one can define a bijection <p between A and A' in 
the following way. 

1. If / G A then f>(f)(h,x) = f(h,x) if {f(h, x),h} fl {a, a'} = (j) 

2. <f)(f)(a,x) = f(a',x ) if f(a',x ) ^ {a, a 1 2 }. Similarly, <f>(f)(a',x) = f(a,x ) if 
f(a,x) $ {a, a'}. 
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3. If h £ {a, a'} but f(h,x) = a then cj)(f)(h,x) = a'. Similarly, f(h,x ) = a' 
then cp(f)(h,x ) = a. 

4. There are four other possibilities i.e. 

(a) if f(a,x ) = a then cj)(f)(a',x ) = a'. 

(b) if f(a,x ) = a ' then cj>(f)(a',x) = a. 

(c) if f (a’,x) = a then </>(f )(a,x) = a'. 

(d) if f(a',x) = a' then (f(f)(a,x) = a. 

Now it is easy to check that <p(f) is well defined and it belongs to A'. Here, 
we mainly interchange the role of a and a' in all possible cases of input and 
output keeping other values the same. Thus, given H^(M) = a, we should have 
// d (f)(M) = a 1 keeping all other equalities fixed (in Qi-i). Now it is also easy 
to check that this is a bijection as we can define the inverse function similarly. 
Thus, | A | = | A' | and hence the probabilities are equal. We can prove similarly 
for the distribution of /. So we skip the proof of this. ■ 

Now we bound the probability of collision events for both cases. 

Lemma 2. Pr[->CFi] = 0( and Pr[->CF 2 ] = 0(§r), where l is the maxi- 
mum number of blocks in H-query and |X| = 2". 

Proof. We first assume that there is no trivial query. If it is there, then we have 
less probability as it does not help in collision. Now we compute the probability 
where all outputs (including the intermediate hash values for different messages) 
and inputs of / are distinct. Now any choices of input-outputs satisfying the 
above give all different inputs to /. Thus, the probability of any such choice 
is 1/2" 9 , where q' is the total number of inputs of /. Number of choices of 
above tuples is at least (\X\ - 1)(|X| - 3) • • • {\X\ - 2 q' + 1). Thus, Pr[CFi] = 
(|X| - 1)(|W| - 3) • • • (|X| - 2 q' + l)/2"«' = 1 - In case of Pr[CF 2 ], 

the probability is O(^) as output of simulator and Rand is random except for 
nontrivial query. As nontrivial can not make collision we have the above collision 
probability. ■ 

Combining the lemmas and Equation (3) we obtain the following main theorem 
of this section. 

Theorem 4. Prefix-free single length MD hash functions in a fixed-size random 
oracle model is (tD,ts , q, e)-indifferentiable from a random oracle, for any tn, 
with ts = l • O(q) and e = 2~ n+1 ■ l 2 ■ 0(q 2 ), where l is the maximum length of 
a query made by the distinguisher D. 

3.2 Indifferentiability of Prefix Free PGV Hash Functions 

Now we consider all collision secure PGV hash functions. We will show, in the 
prefix-free mode, that sixteen (indexed by 1 ~ 16 in table 1 of Appendix A) 
out of twenty are also indifferentiable with random oracle. Others (indexed by 
17 ~ 20 in table 1 of Appendix A) are not indifferentiable from random oracle. 



Indifferentiable Security Analysis of Popular Hash Functions 


291 


It is easy to check that any PGV compression functions are not indifferentiable 
with random oracle. 

Thus, we can not apply the previous theorem directly. First we consider the 
previous example rnj) = E mi (hi- 1 ) ® /i,-. i. Coron et al. also considered 

this example and stated indifferentiability in [5] . We will define a simulator which 
simulates both E and E~ x . On query (1, •, •) it simulates E and on query (—1, •, •) 
it simulates F _1 . 

Simulator. Like the previous simulator, it also keeps the relations (7£i,..., 
TZi-i). Initially, IZo = 0. Let {P x }xex be a family of random permutation. Now 
the response of S is as follow: 

1. On query (1 ,h i} Xi), 

(a) If IV — >jv hi and g(M) = N \\ Xi then run Rand(M) and obtain the 
response h*. Return h* ® h t and 7 Zi = TZi-i U {hi — > Xi h*} (otherwise 
behave randomly and similar to previous simulator this does not occur 
if collision- free occurs). 

(b) Else return P Xi {h % ) = h*,TZi = IZi-i U {/q — h* ® hi}. 

2. On query (— 1, ?/j, a:*), 

(a) For each IV — > N h such that g{M) = ./V || x^, run Rand(M) = h*. If 
h* ® h = yi, return h and 7 Zi = TZi-i U {hi —> Xi h*}. If there is more 
than one such M we say the event BAD occurs and return randomly. 

(b) Else return P~^{yi) = h (say) and IZi = TZi-i U {h t —> Xi h* ® hi}. 

The time complexity of the simulator is 0(lq 2 ). The worst case occurs to 
search all choices of IV —>m h in the case of S^ 1 query. We define the COLL as 
defined in previously or BAD occurs. Let D be a distinguisher keeping relations 
IZi and 7 Z*. Note that, ( E x (y ) = z-^h — h') <*=> m = x,h = y and h' = z®y. 
Now for a random permutation either z or y is chosen randomly. 

1. For E query, define Si = Supp(7£j) ® hi U P x .:[| where P x [i] is the set 
of all images of P x obtained from P x or P“ 1 -query till i th query of the 
distinguisher. 

2. For F -1 query, Si = Supp(Pj) U (Supp(Pj) ® y*) U /(,..*[*], where PjT 1 ^] is 
the set of all images of P x x . 

3. Define, Wi = {h ® h* : IV — h h* € TZ*_x and M || m = g{X) for 
some X}. This set is related to the BAD event. 

4. Finally we define, Z i: = S) U W IJ {/i,} (for R query hi = IV, for E~ x query 
we can ignore {hi}). 

Now we say that V,; is not collision-free if for for some j < i, the output of 
O 2 oracle (in j th query) is in IT) and it is not a trivial query. This definition is 
a modified definition of previous collision-free. Here we change the collision set 
to Wi. Similar to the previous results we have the following lemma and main 
theorem of this section. 
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Lemma 3. The conditional distribution of H,E,E~ X Rand, S and 5 -1 on i th 
query, given Qi-i A CF is uniformly distributed on the set X \ Wi provided it is 
not a trivial query, where hi = IV for 0\ query or ( hi,Xi ) be the query for 02- 
In case of trivial query all distribution are degenerated. 

Proof. If the query is non-trivial query and collision free is true then Rand, S, 
S _1 ,E and E~ l are uniformly distributed on the set X \ W,;. In case of H E , the 
hash function, we can prove that Pv[H E (Mf) = ai] = Pr \H E (Mi) = 02], where 
01 , a 2 & X\Wi. While we count all possible functions E, we interchange the roll 
of ai and a 2 in the inputs and outputs of E (as in H-f). We skip the detail of 
the proof as it is similar to Lemma 1. 

If collision free is true the response of trivial query is completely determined by 
the past view (for all possible oracles). For example, if it is S' -1 query then note 
that there are not more than one choice of M (or h, see case (1)) as BAD events 
is included in the event < CF. Thus, there is exactly one h which is completely 
determined by the past view and this is the response of this query. Other cases 
also can be checked. ■ 

Lemma 4. Pr[->CFi] = 0{ l -ffr) and Pr[->CF 2 ] = O(^), where l is the maxi- 
mum number of blocks in H -query. 

Proof. The proof of the lemma is similar to lemma 2 except when BAD event 
occurs. For each query it will happen with probability 0(q/2 n ) as R(M)(£>h = y* 
has probability 1/2" and there can be at most 2" such M’s. ■ 

Theorem 5. Prefix-free single length MD hash functions in a fixed-size random 
oracle model is ( to,ts,q,e) -indifferentiable from a random oracle, for any to, 
with ts = l • 0(q 2 ) and e = 2 -n+1 • l 2 ■ 0(q 2 ), where l is the maximum length of 
a query made by the distinguisher D. 

Indifferentiability of Sixteen PGV Hash Functions 

Now we consider all collision secure PGV hash functions. We will show, in the 
prefix-free mode, that sixteen (indexed by 1 ~ 16 in table 1 of Appendix A) 
out of twenty are also indifferentiable with random oracle. Others (indexed by 
17 ~ 20 in table 1 of Appendix A) are not indifferentiable from random oracle. 
Till now we have shown for the case-1 of Appendix A. For other cases one can 
make similar analysis. For example, hi = /(/i;_i, m,) = E Wi (mi) ® hi- 1 . So, 
(Ek(x) = y h — h!) <*=> m = x,h = x ® k and h! = k ® x ® y. One can 
also define the simulator for other PGV functions similarly. The proof of the 
indifferentiability will follow similarly. 

1. On query (1, fe*, ar») i.e. E^fixf), 

(a) If IV —> N hi and g(M) = N || Xi then run Rand(M) and obtain the 
response h*. Return h* ® hi ® ** and 7 Zi = TZi-i U {(fc* ® xf) — > Xi h*j 
(otherwise behave randomly and similar to previous simulator this does 
not occur if collision-free occurs). 

(b) Else return P ^ (a ;*) = h*,1Zi = TZi-i U {fc* ® Xi — > Xi h* ® fc* ® Xi}. 
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2. On query (— 1, ki, yi), i.e., E^ l (yi) 

(a) For each IV — h such tfiat g(M) = N \\ k t ® h, run Rand(M) = h*. If 
h*®h = yi, return h® ki and 7 Zi = Hi-iU{h —>ki®h h*}. If there is more 
than one such M we say the event BAD occurs and return randomly. 

(b) Else return P^(y%) = h (say) and Hi = H, i\J{k®k, —> Xi h* ®h®ki}. 

3.3 Indifferentiability of Double Length Hash Functions 

Now we consider the double length construction. A 2n-bit hash value xi = ( hi,gi ) 
is computed from nl-bit message (mi, m 2 , ■ ■ ■ , mi) as follows. For < = 1 , 2 . ■ ■ ■ ,1, 
F(xi-i,mi) = ( hi,gi ) such that 

h = f(hi-i,gi-i,mi) 

9i = f{p{hi-\,gi-\),mi) 

where p is a permutation on 2 n bits and p has no fixed point and p(g, h) -f 
(h,g) for any h,g. Further we assume that p 2 (-j is an identity permutation. One 
example would be p(x) = x, where x is the bitwise complement. We define an 
equivalence relation, w = w* if w = p(w*) or w = w*. Like previous simulator 
we define the simulator as follows: 

Simulator: The simulator keeps the relations (Hi, ■ ■ ■ , 7T ( -i ). Initially, TZq = 0. 
On the < th query ( hi,gi,Xi ), the response of S is as follow: 

1. If the ith query is same as a previous query, output same output of the 
previous query. 

2. Else if 3 IV —> N h\\g £ Hi-i,g(M) = N \\ Xi where h\\g = , then 

run Rand(M) and obtain the response h*\\g*. For more than one choices of 
M, return a random string h*\\g* (this will never happen if (Hi , . . . , H q ) is 
collision- free). 

(a) If h\\g = hi\\gi then return h*. 

(b) If h\\g = p(hi\\gi) then return g*. 

(c) If (p(hi\\gi), xi) has been queried before then 

i. If h\\g = hi\\gi then H t = Hi - 1 U {h\\g -> Xi h*\\g*}. 

ii. If h\\g = p(hi\\gi) then Hi = Hi 1 U {h\\g ~^ Xi g*\\h*}. 

3. Else return a random string h*. If (p(hi\\gi), a:,;) has been queried before and 

response is g* then Hi = Hi-i U — * Xi h*\\g*} U {p(h\\g) ~^ Xi g*\\h*}. 

If distinguisher is making q queries at most then one can design the above 
simulator so that it runs in time 0(lq). In the worst case simulator has to back 
track to initial value to check whether condition (1) is satisfied or not and this 
needs at most 0(lq) time. Similar to previous results we have the following 
lemma and main theorem of this section. Similar to prefix free MD construction, 
we can define support and collision free. 

1. Define support of a relation Hi by a subset of X, Supp(7£j) = {h\\g,p(h\\g) : 
h\\g hi\\gi £ Hi} U {h\\g,p(h\\g) : hi\\gi h\\g £ Hi} U {IV}. Note 

that, Supp(7?.j) = Supp(7£*). 
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2. We say, r,; is a trivial query if r, £ 1Z *_ . Since g is a prefix-free padding, r t 
can be trivial query only if any one of the following holds : 

(a) r i = IV -^g(M) h e \\ge, where IV = h 0 \\g 0 -> mi hi\\gi ^ m2 . 

he\\ge £ TZ*_ 1 and g(M) = mi || ... || me- 

(b) n = he-i\\ge-i h e or p(h t -i\\ge-i) -^ me gt, where IV = h 0 \\g 0 -* TOl 
hi\\gi *m 2 ■ ■ - he-i\\ge-i, IV -> a ( M ) Miff* e 'R'*_ 1 and g(M) = mi || 
... || m e . 

(c) rj is a repetition query i.e. r, = rg for some j < i. For simplicity we can 
assume that there is no repetition query as distinguisher’s point of view 
it doest not help anything. 

3. We say V is not collision free (or in short -i CF) if for some i one of followings 
hold : 

(a) In case of 0\ query : r* = hi\\gi — > m h'\\g' is non trivial and h'\\g' £ 
Supp(7£j_i) U {hi\\gi}. 

(b) In case of O 2 query : n = hi\\gi — » mi h' is non trivial and 02(p(Mlfft)> x i) 
= g' has been queried before and h'\\g' or g'\\h' £ Supp(7T ( _i) IJ 
{p(hi\\gi)}. 

Lemma 5. Given Qi-i A CF, the conditional distribution of H, /, Rand and S on 
i th query is uniformly distributed on the set X\ (Supp(1Zi-i) U {Miff*}) provided 
it is not a trivial query, where Miff* = IV for 0 1 query or (hi\\gi,Xi) be the query 
for O 2 ■ 

Proof. Given a(= a\ || af) and a'{= || a'f) ^ \ (Supp(72^_i) U {/i<| |5»}), Let 

A = {f : X x B ^ X : H f {M) = a A / satisfies Qi-ij. Similarly define A! for 
a' . Similar to prefix free MD construction, we can define a bijection <j> between 
A and A! similar to the Lemma 5. 

1- If / e A then cfi(f) ( b , *) Mf) ( p(b ) , x) = f(b, x) \ \f(p(b ) , a) if {/(&, x) | \f(p(b ) , 
x),b} n {a, a'} = <t> 

2. (p(f)(a, x)\\<j)(f)(p(a),x) = f(a' ,x)\\f(p(a r ), x) if f(a' ,x)\\f(p(a'),x) <£{a,a'}. 
Similarly, <f>(f)(a! , x)\\(j){f){p{a') , x) = f(a,x)\\f(p(a),x) if f(a, x)\\f(p(a), 
x)£{a,a'}. 

3. If b £ {a, a'} but f(b,x)\\f(p(b),x) = a then (f(f){b,x)\\<j>(f){p(b),x) = a'. 
Similarly, f(b,x)\\f(p(b),x) = a' then <t>(f)(b,x)\\<t>(f)(p(b),x) = a. 

4. There are four other possibilities i.e. 

(a) if f(a, x)\\f(p(a), x) = a then cj){f){a' ,x)\\f){f){p{a'),x) = a'. 

(b) if f (a, x)\\f (p(a),x) = a' then <f{f){a\x)\\<t){f){p{a'),x) = a. 

(c) if f{a! ,x)\\f(p(a'),x) = a then </>(f)(a,x)\\<l>(f)(p(a),x) = a'. 

(d) if /(MMI/6>(M>4 = a’ then $(f)(a,x)\\ 0(/)(p(a),a:| = a. 

Now it is easy to check that </>(/) is well defined and it belongs to A! . Here, we 
mainly interchange the roll of a and a ' in all possible cases of input and output 
keeping others same. Thus, given H^(M) = a, we should have = a' 

keeping all other equalities fixed (in Qi-i). Now it is also easy to check that this 
is a bijection as we can define the inverse function similarly. Thus, | A \ = \ A! \ 
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and hence the probabilities are equal. We can prove similarly for the distribution 
of /. So we skip the proof of this. ■ 

Now we bound the probability of collision events for both cases. 

Lemma 6. Pr[->CFi] = 0(^&) and Pr[-iCF 2 ] = O(^), where l is the maxi- 
mum number of blocks in H-query and |X| = 2 2 ”. 

Proof. The proof is also similar to the Lemma 2. So we skip the proof. ■ 

Theorem 6. Let F be above double length hash function. Then for any prefix- 
free function g, MDg in a single-size random oracle model is (tD,ts,q,e)- 
indifferentiable from a random oracle, for any to, with ts = l ■ 0(q) and e = 
2 — 2 ra+i . . 0(q 2 ), where l is the maximum length of a query made by the dis- 

tinguisher D. 

4 Attack on Some SBL and DBL Hash Functions 

In this section we define PGV and PBGV hash functions. We give some indif- 
ferentiable attacks on some of these hash functions. We show only attacks with 
one-block padded message. More than one block, we can attack similarly. 

The Preneel-Govaerts-Vandewalle (PGV) Schemes [17] 

Let xo be the initial value and k = TV. E is TV-bit block cipher with an TV-bit 
key. An TV-bit hash value xi is computed from id-bit message (mi, m 2 , ■ ■ ■ , mi) 
as follows. For i = 1, 2, • • • , l, 


F(x i -i,m i )=x i = E a (b)®c 

where a,b,c€ {x^- 1 , to*, v, *j_i ® mi}. Here, v is a constant. 

Among 20 collision resistant PGV schemes, even we use prefix- free padding 
g, we show that 4 schemes are differentiable from random oracle. 4 schemes are 
Fi(hi-i,mi) = Ehi-fimi) ® m*, F^Qu-urrii) = Eh i _ 1 (mi ® ® m; ® hi- 1, 

F3(/i*_i,TOi) = Eh i _ 1 (mi)@mi@hi-i, and F/i(hi-\,mi) = Ef li _ 1 (mi®hi-i)®mi. 
Here, we consider F\. Similarly, we can show the insecurity of other 3 cases. 

— distinguisher D can access to oracles (0\ , O 2 ) where (0-\ , O 2 ) is ( H , E, F -1 ) 
or (Rand, S, S'- 1 ). 

• make a random query M such that g(M) = to and |to| = n. then give 
the query M to oracle 0\ and receive z. 

• make an inverse query (— 1, xo, z ® m) to O 2 and receive to*. 

• if to = to* output 1, otherwise 0. 

• Since any simulator S can know random to only with probability 2~ n , 

Pr [ D HJ‘j‘ J =1 ]_ p I [ D n,s,s- 1 l]| = 1 _ 2 - « 

This is not negligible. So M D J 1 is differentiable from random oracle. 
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The Preneel-Bosselaers-Govaerts-Vandewalle (PBGV) Scheme [16] 

Let xo = (ho, go) be initial value and N = 2n and n = N. E is TV-bit block cipher 
with an iV-bit key. A TV-bit hash value xi = ( hi,gi ) is computed from kI - bit 
message to = (toi,TO 2 ,--- , toj) where to* = (mj,i,mj, 2 ) and = \mi ,2 | = n. 
For i = 1, 2, • • • ,1, F(xi- = (A,, gi) is defined as follows. 

hi = E mi l ^ mi 2 (hi - 1 ® <7i-i) © w i,i © hi— i © 

S'; = © ft-i) © rra*,2 © /ij-i © fifj-i 

The following is the indifferentiable attack for the PBGV scheme. 

- distinguisher D can access to oracles (0 \ , Oq) where (0 \ , O-j) is (H, E, E _1 ) 
or (Rand, S, S' -1 ). 

• make a random query M such that g(M) = mi = toi,i||toi ,2 and |toi| = 
2 n. Then give the query M to oracle 0\ and receive x\ = ( h\,g \ ). 

• make an inverse query (— 1 , 7711,2 © ho © go © gi,m\,\ © ho) to O 2 and 
receive out. 

• if out = toi ,2 © go output 1, otherwise 0. 

• Since any simulator S can know random toi ,2 only with probability 2 -n , 

|Pr [D h ’ e ’ e ~ 1 = 1] - Pr [D 11 ' 3 ’ 3 - 1 = 1]| = 1 - 2~ n 

This is not negligible. So M D J is differentiable from random oracle. 

By using the same idea one can find indifferentiability attack on QG-I, LOKI 
DBH, MDC-2 and some of the Hirose’s double length hash constructions. 

5 Conclusion 

As hash function is at times a popular candidate for approximation of a random 
oracle, the notion of indifferentiability is important to study. In this paper we 
have studied many known designs of hash function in term of indifferentiability. 
Some of them are secure and against some of them we have found attack. So 
there are many designs, for example sixteen PGV hash functions, which are 
secure beyond the collision security. This paper also presents an unified way 
to prove the indifferentiability for many designs of hash functions. Finally we 
note that there are still many designs whose security analysis in the view of 
indifferentiability are open. 
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Appendix A: Table of Twenty PGV Hash Functions 

Table 1. 20 Collision Resistant PGV Hash Functions in the Ideal Cipher Model. 

(wi =rrij© hi- 1 ). 


Case 

PGV 

Case 

PGV 

1 

E mi (hi-i) © hi-i 

ii 

E mi (hi- i)©u 

2 

E mi ( Wi)®Wi 

12 

E Wi (hi- i)®v 

3 

Em i {hi—\) 0 Wi 

13 

E mi (hi-i) © mi 

4 

E mi ( Wi ) © hi - 1 

14 

E Wi (hi- 1) © Wi 

5 

E Wi (rm) © rm 

15 

Emi(Wi)®V 

6 

E Wi (hi- 1) © hi- 1 

16 

Errii ( Wi ) © mi 

7 

E Wi (mi) © hi- 1 

17 

N hi , (rtii) © m, 

8 

Ku-i ihi i ) © nii 

18 

Ehi_ i(wi) © Wi 

9 

E Wi (uh) ©v 

19 

Ehi-i (mi) © Wi 

10 

E Wi (rm) © Wi 

20 

Ehi , (Wi) © rrn 
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Abstract. We point out that the seemingly strong pseudorandom or- 
acle preserving (PRO-Pr) property of hash function domain-extension 
transforms defined and implemented by Coron et. al. [1] can actually 
weaken our guarantees on the hash function, in particular producing a 
hash function that fails to be even collision-resistant (CR) even though 
the compression function to which the transform is applied is CR. Not 
only is this true in general, but we show that all the transforms pre- 
sented in [1] have this weakness. We suggest that the appropriate goal of 
a domain extension transform for the next generation of hash functions 
is to be multi-property preserving, namely that one should have a single 
transform that is simultaneously at least collision-resistance preserving, 
pseudorandom function preserving and PRO-Pr. We present an efficient 
new transform that is proven to be multi-property preserving in this 
sense. 

Keywords: Hash functions, random oracle, Merkle-Damgard, collision- 
resistance, pseudorandom function. 

1 Introduction 

Background. Recall that hash functions are built in two steps. First, one 
designs a compression function h: {0, l} d+ " — > {0, 1}", where d is the length 
of a data block and n is the length of the chaining variable. Then one specifies 
a domain extension transform H that utilizes h as a black box to implement 
the hash function H h : {0,1}* — > {0,1}" associated to h. All widely-used hash 
functions use the Merkle-Damgard (MD) transform [2,3] because it has been 
proven [2,3] to be collision-resistance preserving (CR-Pr): if h is collision-resistant 
(CR) then so is H h . This means that the cryptanalytic validation task can be 
confined to the compression function. 

A rising bar. Current usage makes it obvious that CR no longer suffices as 
the security goal for hash functions. In order to obtain MACs and PRFs, hash 
functions were keyed. The canonical construct in this domain is HMAC [4,5] 
which is widely standardized and used. (NIST FIPS 198, ANSI X9.71, IETF 
RFC 2104, SSL, SSH, IPSEC, TLS, IEEE 802.11i, and IEEE 802.16e are only 
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some instances.) Hash functions are also used to instantiate random oracles [6] 
in public-key schemes such as RSA-OAEP [7] and RSA-PSS [8] in the RSA 
PKCS#1 v2.1 standard [9]. CR is insufficient for arguing the security of hash 
function based MACs or PRFs, let alone hash-function based random oracles. And 
it does not end there. Whether hash function designers like it or not, application 
builders will use hash functions for all kinds of tasks that presume beyond- CR 
properties. Not all such uses can be sanctified, but the central and common ones 
should be. We think that the type of usage we are seeing for hash functions 
will continue, and it is in the best interests of security to make the new hash 
functions rise as far towards this bar as possible, by making them strong and 
versatile tools that have security attributes beyond CR. 

This paper. Towards the goal of building strong, multi-purpose hash functions, 
our focus is on domain extension, meaning we wish to determine which domain 
extension transforms are best suited to this task. The first part of our work 
examines a natural candidate, namely transforms that are pseudorandom oracle 
preserving as per [1] , and identifies some weaknesses of this goal. This motivates 
the second part, where we introduce the notion of a multi-property preserving 
(MPP) transform, argue that this should be the target goal, and present and 
prove the correctness of an efficient MPP transform that we refer to as EMD. 
Let us now look at all this in more depth. 

Random-oracle preservation. Coron, Dodis, Malinaud and Puniya [1] make 
the important observation that random oracles are modeled as monolithic enti- 
ties (i.e., are black boxes working on domain {0, 1}*), but in practice are instan- 
tiated by hash functions that are highly structured due to the design paradigm 
described above, leading for example to the extension attack. Their remedy for 
this logical gap is to suggest that a transform H be judged secure if, when 
modeling h as a fixed-input-length random oracle, the resulting scheme H h be- 
haves like a random oracle. They give a formal definition of “behaving like a 
random oracle” using the indifferentiability framework of Maurer et al. [10] . We 
use the moniker pseudorandom oracle to describe any construction that is in- 
differentiable from a random oracle. (Note that a random oracle itself is always 
a pseudorandom oracle.) The framework has the desirable property that any 
scheme proven secure in the random oracle model of [6] is still secure when we 
replace the random oracles with pseudorandom oracles. We call the new secu- 
rity goal of [1] pseudorandom oracle preservation (PRO-Pr). They propose four 
transforms which they prove to be PRO-Pr. 

PRO-Pr seems like a very strong property to have. One reason one might 
think this is that it appears to automatically guarantee that the constructed 
hash function has many nice properties. For example, that the hash function 
created by a PRO-Pr transform would be CR. Also that the hash function could 
be keyed in almost any reasonable way to yield a PRF and MAC. And so on. This 
would be true, because random oracles have these properties, and hence so do 
pseudorandom oracles. Thus, one is lead to think that one can stop with PRO-Pr: 
once the transform has this property, we have all the attributes we desire from 
the constructed hash function. 
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Weakness of PRO-Pr. The first contribution of this paper is to point out 
that the above reasoning is flawed and there is a danger to PRO-Pr in prac- 
tice. Namely, the fact that a transform is PRO-Pr does not guarantee that the 
constructed hash function is CR, even if the compression function is CR. We 
demonstrate this with a counter-example. Namely we give an example of a trans- 
form that is PRO-Pr, yet there is a CR compression function such that the hash 
function resulting from the transform is not CR. That is, the transform is PRO- 
Pr but not CR-Pr, or, in other words, PRO-Pr does not imply CR-Pr. What this 
shows is that using a PRO-Pr transform could be worse than using the standard, 
strengthened Merkle-Damgard transform from the point of view of security be- 
cause at least the latter guarantees the hash function is CR if the compression 
function is, but the former does not. If we blindly move to PRO-Pr transforms, 
our security guarantees are actually going down, not up. 

How can this be? It comes about because PRO-Pr provides guarantees only 
if the compression function is a random oracle or pseudorandom oracle. But of 
course any real compression function is provably not either of these. (One can 
easily differentiate it from a random oracle because it can be computed by a small 
program.) Thus, when a PRO-Pr transform works on a real compression function, 
we have essentially no provable guarantees on the resulting hash function. This 
is in some ways analogous to the kinds of issues pointed out in [11,12] about the 
sometimes impossibility of instantiating random oracles. 

The transforms of [1] are not CR-Pr. The fact that a PRO-Pr transform 
need not in general be CR-Pr does not mean that some particular PRO-Pr trans- 
form is not CR-Pr. We therefore investigate each of the four PRO-Pr schemes 
suggested by [1]. The schemes make slight modifications to the MD transform: 
the first applies a prefix-free encoding, the second “throws” away some of the 
output, and the third and fourth utilize an extra compression function applica- 
tion. Unfortunately, we show that none of the four transforms is CR-Pr. We do 
this by presenting an example CR compression function h such that applying 
each of the four transforms to it results in a hash function for which finding col- 
lisions is trivial. In particular, this means that these transforms do not provide 
the same guarantee as the existing and in-use Merkle-Damgard transform. For 
this reason we think these transforms should not be considered suitable for use 
in the design of new hash functions. 

What this means. We clarify that we are not suggesting that the pseudoran- 
dom oracle preservation goal of [1] is unimportant or should not be achieved. 
In fact we think it is a very good idea and should be a property of any new 
transform. This is so because in cases where we are (heuristically) assuming the 
hash function is a random oracle, this goal reduces the assumption to the com- 
pression function being a random oracle. What we have shown above, however, 
is that by itself, it is not enough because it can weaken existing, standard-model 
guarantees. This leads to the question of what exactly is enough, or what we 
should ask for in terms of a goal for hash domain extension transforms. 
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MPP TRANSFORMS. The two-step design paradigm in current use is compelling 
because it reduces the cryptanalytic task of providing CR of the hash function 
to certifying only that the compression function has the same property. It makes 
sense to seek other attributes via the appropriate extension of this paradigm. 
We suggest that, if we want a hash function with properties Pi, . . . , P„ then 
we should (1) design a compression function h with the goal of having proper- 
ties Pi, ... , P n , and (2) apply a domain extension transform H that provably 
preserves P* for every i e [l..n]. We call such a compression function a multi- 
property one, and we call such a transform a multi-property-preserving domain 
extension transform (from now on simply an MPP transform). Note that we 
want a single transform that preserves multiple properties, resulting in a sin- 
gle, multi-property hash function, as opposed to a transform per property which 
would result in not one but numerous hash functions. We suggest that multi- 
property preservation is the goal a transform should target. 

Properties to preserve. Of course the next question to ask is which proper- 
ties our MPP domain extension transform should preserve. We wish, of course, 
that the transform continue to be CR-Pr, meaning that it preserve CR. The sec- 
ond thing we ask is that it be pseudorandom function preserving (PRF-Pr). That 
is, if an appropriately keyed version of the compression function is a PRF then 
the appropriately keyed version of the hash function must be a PRF too. This 
goal is important due to the many uses of hash functions as M ACs and PRFs via 
keying as mentioned above. Indeed, if we have a compression function that can 
be keyed to be a PRF and our transform is PRF-Pr then obtaining a PRF or MAC 
from a hash function will be simple and the construction easy to justify. The 
final goal we will ask is that the transform be PRO-Pr. Compelling arguments 
in favor of this goal were made at length in [1] and briefly recalled above. 

To be clear, we ask that, for a transform H to be considered suitable, one 
should do the following. First, prove that H h is CR using only the fact that h 
is CR. Then show that H h is a pseudorandom oracle when h is a pseudorandom 
oracle. Finally, use some natural keying strategy to key H h and assume that h is 
a good PRF, then prove that H h is also a good PRF. We note that such a MPP 
transform will not suffer from the weakness of the transforms of [1] noted above 
because it will be not only PRO-Pr but also CR-Pr and PRF-Pr. 

New transform. There is to date no transform with all the properties above. 
(Namely, that it is PRO-Pr, CR-Pr and PRF-Pr.) The next contribution of this 
paper is a new transform EMD (Enveloped Merkle-Damgard) which is the first 
to meet our definition of hash domain extension security: EMD is proven to be 
CR-Pr, PRO-Pr, and PRF-Pr. The transform is simple and easy to implement in 
practice (see the figure in Section 5) . It combines two mechanisms to ensure that 
it preserves all the properties of interest. The first mechanism is the well-known 
Merkle-Damgard strengthening [2]: we always concatenate an input message with 
the 64-bit encoding of its length. This ensures that EMD is CR-Pr. The second 
mechanism is the use of an “envelope” to hide the internal MD iteration — we 
apply the compression function in a distinguished way to the output of the plain 
MD iteration. Envelopes in this setting were previously used by the NMAC and 
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Transform 

CR-Pr 

PRO-Pr 

PRF-Pr 

Uses of h for \M\ =b> d 

Plain MD (MD) 

No 

No 

No 

\(b + l)/d\ 

Strengthened MD (SMD) 

[2,3] 

No 

No 

r(6 + l + 64)/d] 

Prefix-Free (PRE) 

No 



[13] 

r(6+i)/(d-i)i 

Chop Solution (CHP) 

No 



? 

r (&+!)/<*] 

NMAC Construction (NT) 

No 



? 

i + 

(b + l)/d 


HMAC Construction (HT) 

No 



? 

2 + 

\(b + l)/d\ 


Enveloped MD (EMD) 

[2] 

Thm. 1 

Thm. 2 

[(6 + 1 + 64 + n)/d] 


Fig. 1. Comparison of transform security and efficiency when applied to a compression 
function h\ {0, 1 } n+d — > {o, 1}™. The last column specifies the number of calls to h 
needed to hash a 6-bit message M (where b > d) under each transform and a typical 
padding function (which minimally adds a bit of overhead). 


HMAC constructions [4] to build PRFs out of compression functions, and again 
in two of the PRO-Pr transforms of [1], which were also based on NMAC and 
HMAC. We utilize the envelope in a way distinct from these prior constructions. 
Particularly, we include message bits as input to the envelope, which increases 
the efficiency of the scheme. Second, we utilize a novel reduction technique in our 
proof that EMD is PRO-Pr to show that simply fixing n bits of the envelope’s 
input is sufficient to cause the last application of the random oracle to behave 
independently with high probability. This simple solution allows our transform 
to be PRO-Pr using a single random oracle without using the other work-arounds 
previously suggested (e.g., prefix-free encodings or prepending a block of zeros 
to input messages). A comparison of various transforms is given in Fig. 1. 
Patching existing transforms. We remark that it is possible to patch the 
transforms of [1] so that they are CR-Pr. Namely, one could use Merke-Damgard 
strengthening, which they omitted. However our transform still has several ad- 
vantages over their transforms. One is that ours is cheaper, i.e. more efficient, 
and this matters in practice. Another is that ours is PRF-Pr. A result of [13] 
implies that one of the transforms of [1] is PRF-Pr, but whether or not this is 
true for the others is not clear. 

Whence the compression function? We do not address the problem of 
constructing a multi-property compression function. We presume that this can 
and will be done. This assumption might seem questionable in light of the recent 
collision-finding attacks [14,15] that have destroyed some hash functions and 
tainted others. But we recall that for block ciphers, the AES yielded by the NIST 
competition was not only faster than DES but seems stronger and more elegant. 
We believe it will be the same for compression functions, namely that the planned 
NIST hash function competition will lead to compression functions having the 
properties (CR and beyond) that we want, and perhaps without increase, or even 
with decrease, in cost, compared to current compression functions. We also note 
that we are not really making new requirements on the compression function; we 
are only making explicit requirements that are implicit even in current usage. 
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Families of compression functions. Several works [16,17,18] consider a set- 
ting where compression and hash functions are families rather than individual 
functions, meaning, like block ciphers, have an extra, dedicated key input. In con- 
trast, we, following [4,1,5], adopt the setting of current practical cryptographic 
compression and hash functions where there is no such dedicated key input. An 
enveloping technique similar to that of EMD is used in the Chain-Shift construc- 
tion of Maurer and Sjodin [18] for building a VIL MAC out of a FIL MAC in 
the dedicated key input setting. We further discuss this setting, and their work, 
in the full version of the paper [19] . 

2 Definitions 

Notation. Let D = {0,l} d and D + =?'Uj»a{0, l} ld . We denote pairwise con- 
catenation by || , e.g. M || M' . We will often write the concatenation of a se- 
quence of string by M\ • • • M k , which translates to M\ || M 2 || ... || Mj~. For 
brevity, we define the following semantics for the notation M\ • • • M k -4- M where 
M is a string of |M| bits: 1) define k = |~|M|/d"| and 2) if |M| mod d = 0 
then parse M into Mi, M 2 , . . ., M k where Mj = d for 1 < i < k, otherwise 
parse M into Mi, M 2 , . . ., M fe _ 1 , M k where M, = d for 1 < i < fc — 1 and 
|Mfc| = |M| mod d. For any finite set S we write s <— S to signify uniformly 
choosing a value s £ S. 

Oracle TMs, random oracles, and transforms. Cryptographic schemes, 
adversaries, and simulators are modeled as Oracle Turing Machines (OTM) and 
are possibly given zero or more oracles, each being either a random oracle or 
another OTM (note that when used as an oracle, an OTM maintains state 
across queries). We allow OTMs to expose a finite number of interfaces: an 
OTM N = (Ni, N 2 , . . . , IM;) exposes interfaces Ni, N 2 , . . . , N/. For brevity, we 
write M N to signify that M gets to query all the interfaces of N. For a set Dom 
and finite set Rng we define a random function by the following TM accepting 
inputs X £ Dom: 

Algorithm RF Dom,Rng(X): 

if T[X] = T then T[X] Rng 

ret T[X] 

where T is a table everywhere initialized to _L. This implements a random func- 
tion via lazy sampling (which allows us to reason about the case in which Dom 
is infinite). In the case that Dom = {0,1}“ and Rng = {0,l} r we write RFd, r 
in place of RF Dom, Rng- We similarly define RF d,R ng and RF Dorn!r in the obvi- 
ous ways and write RF, , in the special case that Dom = {0,1}*. A random 
oracle is simply a public random function: all parties (including the adversary) 
are given access. We write /,<?,... = RF Dom, Rng to signify that /, g, ... are 
independent random oracles from Dom to Rng. A transform C describes how to 
utilize an arbitrary compression function to create a variable-input-length hash 
function. When we fix a particular compression function /, we get the associated 
cryptographic scheme C ? = C[f]. 
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Collision resistance. We consider a function F to be collision resistant (CR) 
if it is computationally infeasible to find any two messages M ^ M' such that 
F(M) = F(M'). For the rest of the paper we use h to always represent a collision- 
resistant compression function with signature h: {0, l} d+ " — *. {0,1}". 

Note our definition of CR is informal. The general understanding in the litera- 
ture is that a formal treatment requires considering keyed families. But practical 
compression and hash functions are not keyed when used for CR. (They can be 
keyed for use as MACs or PRFs.) And in fact, our results on CR are still formally 
meaningful because they specify explicit reductions. 

PRFs. Let F: Keys x Dom — > Rng be a function family. Informally, we con- 
sider F a pseudorandom function family (PRF) if no reasonable adversary can 
succeed with high probability at distinguishing between F(K, •) for K *— Keys 
and a random function / = RF Dom, Rng- More compactly we write the prf- 
advantage of an adversary A as 

AdvP rf (A) = Pr [R Keys ; A F ^ K » =► l] - Pr [. A f « => l] 

where the probability is taken over the random choice of K and the coins used 
by A or by the coins used by / and A. For the rest of the paper we use e to always 
represent a PRF with signature e: {0, l} d+ " — » {0,1}" that is keyed through the 
low n bits of the input. 

PROS. The indifferentiability framework [10] generalizes the more typical indis- 
tinguishability framework (e.g., our definition of a PRF above). The new frame- 
work captures the necessary definitions for comparing an object that utilizes 
public components (e.g., fixed-input-length (FIL) random oracles) with an ideal 
object (e.g., a variable-input-length (VIL) random oracle). Fix some number l. 
Let Ch’—’f 1 : Dom — > Rng be a function for random oracles fy, ...,/; = RF^jj. 

Then let S* = (5i , Si) be a simulator OTM with access to a random oracle 

T = RF Dom, Rng and which exposes interfaces for each random oracle utilized 

by C. (The simulator’s goal is to mimic f\ ft in such a way as to convince 

an adversary that T is C.) The pro-advantage of an adversary A against C is the 
difference between the probability that A outputs a one when given oracle access 
to and f\, , j) and the probability that A outputs a one when given 

oracle access to T and S T . More succinctly we write that the pro- advantage of 
A is 

AdvP ro s (A) = |Pr ij _p r l] | 

where, in the first case, the probability is taken over the coins used by the random 
oracles and A and, in the second case, the probability is over the coins used by 
the random oracles, A, and S. For the rest of the paper we use / to represent a 
random oracle RF d+n,n- 

Resources. We give concrete statements about the advantage of adversaries 
using certain resources. For prf-adversaries we measure the total number of 
queries q made and the running time t. For pro-adversaries we measure the 
total number of left queries q l (which are either to C or T) and the number of 
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right queries (/,; made to each oracle /,; or simulator interface S$. We also specify 
the resources utilized by simulators. We measure the total number of queries qs 
to T and the maximum running time ts- Note that these values are generally 
functions of the number of queries made by an adversary (necessarily so, in the 
case of t s ). 

Pointless queries. In all of our proofs (for all notions of security) we assume 
that adversaries make no pointless queries. In our setting this particularly means 
that adversaries are never allowed to repeat a query to an oracle. 

3 Domain Extension Using Merkle-Damgard 

The Merkle-Damgard transform. We focus on variants of the Merkle- 
Damgard transform. Let c: {0, l} d+ " — > {0,1}” be an arbitrary fixed-input- 
length function. Using it, we wish to construct a family of variable-input-length 
functions F c : {0, 1}” x {0, 1}* — > {0, 1}”. We start by defining the Merkle- 
Damgard iteration c + : D + — ► {0,1}" by the algorithm specified below. 

Algorithm c+(7, M): 

Mi • • • M fe 4- Af; Y 0 <- 7 
for * = 1 to fc do 

Yi «- c(M< II y<_ i) 

ret Y k 

Since I is usually fixed to a constant, the function c + only works for strings that 
are a multiple of d bits. Thus we require a padding function pad(M), which for 
any string M £ {0,1}* returns a string Y for which |U| is a multiple of d. We 
require that pad is one-to-one (this requirement is made for all padding functions 
in this paper). A standard instantiation for pad is to append to the message a 
one bit and then enough zero bits to fill out a block. Fixing some IV £ {0, 1}", 
we define the plain Merkle-Damgard transform MD[c] = c + (IV, pad(-)). 

Keying strategies. In this paper we discuss transforms that produce keyless 
schemes. We would also like to utilize these schemes as variable-input-length 
PRFs, but this requires that we use some keying strategy. We focus on the key- 
via-IV strategy. Under this strategy, we replace constant initialization vectors 
with randomly chosen keys of the same size. For example, if e is a particular PRF, 
then keyed MD e would be defined as MD e K (M) = e + (K, pad (M)) (it should be 
noted that this is not a secure PRF). We will always signify the keyed version of 
a construction by explicitly including the keys as subscripts. 

Multi-property preservation. We would like to reason about the security 
of MD and its variants when we make assumptions about c. Phrased another 
way, we want to know if a transform such as MD preserves security properties 
of the underlying compression function. We are interested in collision-resistance 
preservation, PRO preservation, and PRF preservation. Let C be a transform 
that works on functions from {0, l} d+ " to {0,1}". Let h: {0, l} d+ " _* {0,1}" 
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be a collision-resistant hash function. Then we say that C is collision-resistance 
preserving (CR-Pr) if the scheme C h is collision-resistant. Let / = RF„f +rljrt be a 
random oracle. Then we say that C is pseudorandom oracle preserving (PRO-Pr) 
if the scheme C f is a pseudorandom oracle. Let e: {0, l} d+ " — > {0, l} n be an 
arbitrary PRF (keyed via the low n bits). Then we say that C is pseudorandom 
function preserving (PRF-Pr) if the keyed-via-IV scheme C e K is a PRF. A trans- 
form for which all of the above holds is considered multi-property preserving. 
Security of MD and SMD. It is well known that MD is neither CR-Pr, PRO- 
Pr, or PRF-Pr [2,3,13,1]. The first variant that was proven CR-Pr was so-called 
MD with strengthening, which we denote by SMD. In this variant, the padding 
function is replaced by one with the following property: for M and M' with 
\M\ ± M' then M k ± M' k (the last blocks after padding are distinct). A 
straightforward way to achieve a padding function with this property is to include 
an encoding of the message length in the padding. In many implementations, 
this encoding is done using 64 bits [20], which restricts the domain to strings of 
length no larger than 2 64 . We therefore fix some padding function pad64(M) that 
takes as input a string M and returns a string Y of length kd bits for some num- 
ber k such that the last 64 bits of Y are an encoding of \M\. Using this padding 
function we define the strengthened MD transform SMD[c] = c + (IV, pad64(-)). 
We emphasize the fact that preservation of collision-resistance is strongly de- 
pendent on the choice of padding function. However, this modification to MD 
is alone insufficient for rendering SMD either PRF-Pr or PRO-Pr due to simple 
length-extension attacks [13,1]. 

4 Orthogonality of Property Preservation 

In this section we illustrate that property preservation is orthogonal. Previous 
work [1] has already shown that collision-resistance preservation does not imply 
pseudorandom oracle preservation. We investigate the inverse: does a transform 
being PRO-Pr imply that it is also CR-Pr? We answer this in the negative by 
showing how to construct a PRO-Pr transform that is not CR-Pr. While this 
result is sufficient to refute the idea that PRO-Pr is a stronger security goal for 
transforms, it does not necessarily imply anything about specific PRO-Pr trans- 
forms. Thus, we investigate the four transforms proposed by Coron et al. and 
show that all four fail to preserve collision-resistance. Finally, lacking a formally 
meaningful way of comparing pseudorandom oracle preservation and pseudoran- 
dom function preservation (one resulting in keyless schemes, the other in keyed), 
we briefly discuss whether the proposed transforms are PRF-Pr. 

4.1 PRO-Pr Does Not Imply CR-Pr 

Let n,d> 0 and h: {0, l} d+n — > {0, 1}" be a collision-resistant hash function and 
/ = RF be a random oracle. Let Dom, Rng be non-empty sets and let C\ be 
a transform for which C( = C\ [/] is a pseudorandom oracle C(: Dom —> Rng. 
We create a transform Ci that is PRO-Pr but is not CR-Pr. In other words 
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procedure Initialize 

procedure C(X) 

| Game GO | Game G1 

000 / = RF d+n , n 

200 

Y ^ C{ (X) 

then bad <— true; | W < — 0” | 

procedure f(x) 

201 

if f(0 d+n ) = 0" 

100 ret f(x) 

202 

retT 


Fig. 2. Games utilized in the proof of Proposition 1 to show that is a PRO 

the resulting scheme C{ : Dom — * Rng is indifferentiable from a random oracle, 
but it is trivial to find collisions against the scheme C% (even without finding 
collisions against h). We modify C\ [c] to create Ci [c] as follows. First check 
if c(0 d+n ) is equal to 0 n and return 0” if that is the case. Otherwise we just 
follow the steps specified by C\[c]. Thus the scheme C.{ returns 0” for any 
message if f(0 d+n ) = 0". Similarly the scheme C 2 returns 0" for any message 
if h(0 d+n ) = 0”. The key insight, of course, is that the differing assumptions 
made about the oracle impact the likelihood of this occurring. If the oracle is 
a random oracle, then the probability is small: we prove below that C.{ is a 
pseudorandom oracle. On the other hand, we now show how to easily design a 
collision-resistant hash function h that causes C% to not be collision resistant. 
Let h': {0, 1 J d+n — » {0, l} n_1 be some collision-resistant hash function. Then 
h(M) returns 0" if M = 0 d+n , otherwise it returns h'(M) || 1. Collisions found 
on h would necessarily translate into collisions for h ' , which implies that h is 
collision-resistant. Furthermore since h(0 d+n ) = 0" we have that Clf ( M ) = 0" 
for any message M, making it trivial to find collisions against C 2 . 

Proposition 1. [C 2 is PRO-Pr] Let n,d > 0 and Dom, Rng be non-empty 
sets and f = RF d+n,n and T — RF Dom, Rng be random oracles. Let C( be a 
pseudorandom oracle. Let C% be the scheme as described above and let S be an 
arbitrary simulator. Then for any adversary A 2 that utilizes qL left queries, qa 
right queries, and runs in time t, there exists an adversary A\ such that 

Adv c 2 °s( A 2 ) < Adv p J“ s (di) + i . 

with A\ utilizing the same number of queries and time as A 2 . 

Proof. Let / = RF d+ni „ and T = RF Dom, Rng be random oracles. Let A be some 
pro-adversary against . Let S be an OTM with an interface Sf that on (d+n)- 
bit inputs returns n-bit strings. We utilize a simple game-playing argument in 
conjunction with a hybrid argument to bound the indifferentiability of C 2 by 
that of Ci (with respect to simulator S). Figure 2 displays two games, game GO 
(includes boxed statement) and game G1 (boxed statement removed). The first 
game GO exactly simulates the oracles C* and /. The second game G1 exactly 
simulates the oracles C{ and /. We thus have that Pr[A c £ <f => 1] = Pr[T G0 => 1] 
and Pr[A c (’f => 1] = Pr[^l G1 => 1], Since GO and G1 are identical-until-bad 
we have by the fundamental lemma of game playing [21] that Pr^ 00 =>■!] — 
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Prefix- free MD: 


PRE[c] =c+(IV, padPF(-)) 

where padPF: (0, 1}* — * D + is a prefix-free 

padding function 

NT[c, g\ = g(c + (IV , pad(-))) 

where g\ (0, 1}” — > {0, 1}” is a function 

Chop Solution: 

HMAC Transform: 

CHP [c] = 

first n-s bits of c + (IV, pad(-)) 

HT[c] = 

c(c + (IV,0 d || pad(-)) || 0 d_n || IV) 


Fig. 3. The four MD variants proposed in [1] that are PRO-Pr but not CR-Pr 

Pr[A G1 =>■ 1] < Pr[A G1 sets bad] . The right hand side is equal to 2~ n because / 
is a random oracle. Thus, 

AdvP r ° s (^ 2 ) = Pr [A go => 1] - Pr [A G1 => fj 4- 
Pr [A G1 =► 1] - Pr [. A * l] 

< Pr [A G1 sets bad] + Pr => l] - Pr => l] 

= ^ + Adv^ s (4i) • 


□ 


4.2 Insecurity of Proposed PRO-Pr Transforms 

Collision-resistance preservation. The result above tells us that PRO-Pr 
does not imply CR-Pr for arbitrary schemes. What about MD variants? One 
might hope that the mechanisms used to create a PRO-Pr MD variant are suffi- 
cient for rendering the variant CR-Pr also. This is not true. In fact all previously 
proposed MD variants proven to be PRO-Pr are not CR-Pr. The four variants 
are summarized in Fig. 3 and below, see [1] for more details. 

The first transform is Prefix- free MD specified by PRE[c] = c + (IV, padPF(-)). 
It applies a prefix-free padding function padPF to an input message and then 
uses the MD iteration. The padding function padPF must output strings that 
are a multiple of d bits with the property that for any two strings M M', 
padPF(M) is not a prefix of padPF(M'). The Chop solution simply drops s 
bits from the output of the MD iteration applied to a message. The NMAC 
transform applies a second, distinct compression function to the output of an 
MD iteration; it is defined by NT[c, g] = g(c + (IV, pad(-))), where g is a function 
from n bits to n bits (distinct from h). Lastly, the HMAC Transform is defined 
by HT[c] = c(c+(IV,0 d || pad(-)) || 0 d ~ n || IV). This transform similarly utilizes 
enveloping: the MD iteration is fed into c in a way that distinguishes this last 
call from the uses of c inside the MD iteration. The prepending of a d-bit string 
of zeros to an input message helps ensure that the envelope acts differently than 
the first compression function application. 
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Let IV = 0”. We shall use the collision-resistant hash function h that 
maps 0 d+n to 0" (defined in Sect. 4.1). We first show that the PRE construc- 
tion, while being PRO-Pr for all prefix-free encodings, is not CR-Pr for all prefix- 
free encodings. Let padPF(M) = <? 2 (M) from Sect. 3.3 of [1]. Briefly, <? 2 (M) = 
0 || Mi, . . . ,0 || 1 || M k for M l \\ ••• || M k t 1 M || 10 r , where r = (d - 

1) — ((|M| + 1) mod d — 1). (That is we append a one to M, and then enough 
zero’s to make a string with length a multiple of d — 1.) Now let X = 0 d_1 
and Y = Q 2(d - l >. Then we have that PRE h (X) = PRE h (y) and no colli- 
sions against h occur. We should note that some prefix- free encodings will 
render PRE CR-Pr, for example any that also include strengthening. The im- 
portant point here is that strengthening does not ensure prefix-freeness and 
vice-versa. 

For the other three constructions, we assume that pad(M) simply appends 
a one and then enough zeros to make a string with length a multiple of d. 
Let X = 0 d and Y = 0 2d . Then we have that CHP' l (X) = CHP' l (T) and 
NT fe {X) = NT il (y) and WI h (X) = WI h (Y). Never is there a collision generated 
against h. 

The straightforward counter-examples exploit the weakness of the basic MD 
transform. As noted previously, the MD transform does not give any guaran- 
tees about collision resistance, and only when we consider particular padding 
functions (i.e., pad64) can we create a CR-Pr transform. Likewise, we have il- 
lustrated that the mechanisms of prefix-free encodings, dropping output bits, 
and enveloping do nothing to help ensure collision-resistance is preserved, even 
though they render the transforms PRO-Pr. To properly ensure preservation of 
both properties, we must specify transforms that make use of mechanisms that 
ensure collision-resistance preservation and mechanisms that ensure pseudoran- 
dom oracle preservation. In fact, it is likely that adding strengthening to these 
transforms would render them CR-Pr. However, as we show in the next section, 
our new construction (with strengthening) is already more efficient than these 
constructions (without strengthening). 

PRF PRESERVATION. It is not formally meaningful to compare PRF preservation 
with PRO preservation, since the resulting schemes in either case are different 
types of objects (one keyed and one keyless). However we can look at particular 
transforms. Of the four proposed by Coron et al. only PRE is known to be 
PRF-Pr. Let e be a PRF. Since we are using the key-via-IV strategy, the keyed 
version of PRE e is PRE^ (Af) = e + (K. padPF(M)). This is already known to be 
a good PRF [13]. As for the other three transforms, it is unclear whether any of 
them are PRF-Pr. For NT, we note that the security will depend greatly on the 
assumptions made about g. If g is a separately keyed PRF, then we can apply 
the proof of NMAC [4] . On the other hand, if g is not one-way, then an adversary 
can determine the values produced by the underlying MD iteration and mount 
simple length-extension attacks. Instead of analyzing these transforms further 
(which are not CR-Pr anyway), we look at a new construction. 
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5 The EMD Transform 

We propose a transform that is CR-Pr, PRO-Pr, and PRF-Pr. Let n,d be num- 
bers such that d > n + 64. Let c: {0, l} d+n — * {0,1}” be a function and let 
D° = Uj>i{0, l n _ Then we define the enveloped Merkle-Damgard itera- 

tion c°: {0, l} 2 ” x D° -» {0, 1}" on c by the algorithm given below. 


Algorithm c 0 (I\,h,M)\ 
Mi ■ ■ ■ M k 4- M 

P «- Mi • • • Mfe^a 

ret c(c+(I u P) \\M k \\h) 



To specify our transform we require a padding function pad EMD: {0, l }- 2 — > 

D° for which the last 64 bits of padEMD(M) encodes \M\. Fix IV 1, IV 2 £ {0, 1}” 
with IV 1 IV 2. Then we specify the enveloped Merkle-Damgard transform 
EMD[c] = c°(/yi,/F2, padEMD(-)). 

EMD utilizes two main mechanisms for ensuring property preservation. The 
first is the well-known technique of strengthening: we require a padding function 
that returns a string appended with the 64-bit encoding of the length. This 
ensures that EMD preserves collision-resistance. The second technique consists 
of using an ‘extra’ compression function application to envelope the internal 
MD iteration. It is like the enveloping mechanism used by Maurer and Sjoden 
in a different setting [18] (which is discussed in more detail in the full version of 
the paper [19]), but distinct from prior enveloping techniques used in the current 
setting. First, it includes message bits in the envelope’s input (in NMAC/HMAC 
and HT, these bits would be a fixed constant, out of adversarial control). This 
results in a performance improvement since in practice it is always desirable 
to have d as large as possible relative to n (e.g., in SHA-1 d = 512 and n = 
160). Second, it utilizes a distinct initialization vector to provide (with high 
probability) domain separation between the envelope and internal applications 
of the compression function. This mechanism allows us to avoid having to use 
other previously proposed domain separation techniques while still yielding a 
PRO-Pr transform. (The previous techniques were prefix-free encodings or the 
prepending of 0 rf to messages, as used in the HT transform; both are more costly.) 


5.1 Security of EMD 

Collision-resistance preservation. Let h : {0, l} d+n — > {o, 1}" be a colli- 
sion resistant hash function. Then any adversary which finds collisions against 
EMD ft (two messages M ^ M' for which EMD ft (M) = EMD ,l (Af')) will nec- 
essarily find collisions against h. This can be proven using a slightly modified 
version of the proof that SMD is collision-resistant [2,3], and we therefore omit 
the details. The important intuition here is that embedding the length of mes- 
sages in the last block is crucial; without the strengthening the scheme would 
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not be collision resistant (similar attacks as those given in Section 4 would be 
possible). 

PRO preservation. Now we show that EMD is PRO-Pr. We first prove a 
slightly different transform is PRO-Pr and then show that EMD reduces to this 
other transform. Let f,g = RF f / +rt „ be random oracles. For any strings Pi £ D + 
and P 2 £ {0, lj d ~ n we define the function gf + : D° — > {0, 1}" by gf + (P || S) = 
g(f + (IVl,Pi) || P 2 || IV 2). This function is essentially EMD^, except that we 
replace the envelope with an independent random oracle g. The following lemma 
states that gf + is a pseudorandom oracle. 


Lemma 1. [gf + is a PRO] Let f,g = RFd+ n! „. Let A be an adversary that 
asks at most qL left queries, qf right f -queries, q g right g-queries and runs in 
time t. Then 


AdV g/+,Ss( A ) < 


(Ql + q g ) 2 + qj + q g qf 
2 n 


where SB = (SBf, SB g ) is defined in Fig. 4 and qsB < q g and tsB = 0(q‘j+q g qf). 


We might hope that this result is given by Theorem 4 from [1], which states that 
NT-h® j s indifferentiable from a random oracle. Unfortunately, their theorem 
statement does not allow for adversarially-specified bits included in the input 
to g. Thus we give a full proof of Lemma 1, found in the full version of the 
paper [19]. The next theorem captures the main result, and its proof is also in 
the full version. For completeness, we provide the simulators SB = ( SBf,SB g ) 
and SA in Fig. 4. 


Theorem 1. [EMD is PRO-Pr] Fix n, d, and let IV1,IV2 £ {0,1}" with 
IV 1 ^ IV2. Let f = RFrf +r j !n and T = RF* n be random oracles. Let A be an 
adversary that asks at most qL left queries (each of length no larger than Id bits), 
qi right queries with lowest n bits not equal to IV 2, q 2 right queries with lowest n 
bits equal to IV 2, and runs in time t. Then 


Adv EMD,5A( A ) 


(qL + g2) 2 %fl + g29l 
2 " 


2 n ' 


where the simulator SA is defined in Fig. 4 and qsA < <72 and tsA = 0(qf + 5291)- 


PRF preservation. We utilize the key-via-IV strategy to create a keyed version 
of our transform, which is E.\1 I)' Ki Ka (M) = e°(Ki,K 2 ,M) (for some PRF e). 
The resulting scheme is very similar to NMAC, which we know to be PRF-Pr [5]. 
Because our transform allows direct adversarial control over a portion of the 
input to the envelope function, we can not directly utilize the proof of NMAC 
(which assumes instead that these bits are fixed constants). However, the major- 
ity of the proof of NMAC is captured by two lemmas, The first (Lemma 3.1 [5]) 
shows (informally) that the keyed MD iteration is unlikely to have outputs that 
collide. The second lemma (Lemma 3.2 [5]) shows that composing the keyed MD 
iteration with a separately keyed PRF yields a PRF. We omit the details. 
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On query SBf(X): 

Y^{o,ir 

Parse X into U || V s.t. 

P\=d, \V\ = n 

if V = IV1 then NewNode(H) Y 
if Mi ■ ■ ■ Mi <— GetNode(V) then 
NewNode(Mi • • • MiU) «- Y 

ret Y 

On query SBg(X): 

Parse X into V || U || W s.t. 

\V\ = n, \U\ = d — n, \W\ = n 
if W = IV2 and 

Mi • • • Mi <— GetNode(V) then 
ret ■ ■ ■ MiU) 

ret Y A {0, l} n 


On query &4(X): 

Parse X into V || U || W s.t. 

\V\=n, \U\=d-n, \W\=n 
if W = IV2 then 

if Mi • • • M t <- GetNode(V) then 
ret T(M\ ■■■ MiU) 
else ret Y 

Parse X into U || V s.t. 
\U\=d,\V\=n 

if V IV1 then NewNode(H) <- Y 
if Mi • • • M, <— GetNode(E) then 
NewNode(Mi • • • MiU) <- Y 
ret V' 


Fig. 4. Pseudocode for simulators SB (Lemma 1) and SA (Theorem 1) 

Theorem 2. [EMD is PRF-Pr] Fix n, d, and let e: {0, l} d+ " — > {0, l} n be a 
function family keyed via the low n bits of its input. Let A be a prf- adversary 
against keyed EMD using q queries of length at most m blocks and running in 
time t. Then there exists prf-adversaries A\ and A% against e such that 

Adv EMD^ iiJf2 (4 < Ad V P rf (^i) + Q [ 2 TO • AdvP rf (^ 2 ) + 

where A\ utilizes q queries and runs in time at most t and A 2 utilizes at most two 
oracle queries and runs in time 0(mT e ) where T e is the time for one computation 
of e. 
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Abstract. The design of secure compression functions is of vital im- 
portance to hash function development. In this paper we consider the 
problem of combining smaller trusted compression functions to build a 
larger compression function. This work leads directly to impossibility re- 
sults on a range of block cipher-based hash function constructions. 

Keywords: block ciphers, compression functions, hash functions. 


1 Introduction 

Cryptographic hash functions are an important tool in cryptography. Informally, 
a cryptographic hash function H takes an input of variable size and returns a 
hash value of fixed length while satisfying the properties of preimage resistance, 
second preimage resistance, and collision resistance [26]. For a secure hash func- 
tion that gives an n-bit output, compromising these properties should require 
2", 2", and 2 n / 2 operations respectively. 

The pioneering work of Merkle and Damgard [7,27] showed how to construct 
a secure hash function from a compression function h that has a fixed-length 
input, consisting of a chaining variable and a message extract, and gives a fixed- 
length output. A variety of interesting results [8,12,13] have provided a greater 
understanding of the Merkle-Damgard approach to the serial application of such 
a compression function. 

Generally speaking, there are two popular approaches to building a com- 
pression function for use in a crytographic hash function. The first is to use a 
compression function of a dedicated design while the second is to build a com- 
pression function around an established, and trusted, block cipher. While most 
widely-deployed hash functions [30,37] use a compression function of dedicated 
design, recent attacks [39,40] have demonstrated that there is much to learn. 
Instead, there is now much renewed interest in using a block cipher as the basis 
for a compression function. 

It might be argued that the compression functions of common dedicated hash 
functions such as MD5 [37] and SHA-1 [30] are built on block ciphers; by re- 
moving the feed-forward from compression functions in the MD-family we are 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 315-331, 2006. 
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left with a reversible component that can be used as a block cipher (such as 
SHACAL [9] in the case of SHA-1). But these block ciphers cannot be afforded 
the same level of trust as the leading standardised block ciphers [29,31], and 
instead block cipher-based hash functions are traditionally viewed as techniques 
to build a secure compression function from a trusted and standardised cipher. 
Much progress on using block ciphers in this way has already been made. Black 
et al [2] built on the work of Preneel [32] to present a range of secure 2n- to 
n-bit compression functions built around an n-bit block cipher that takes an 
n-bit key. Among these are the well-known Davies-Meyer, Matyas-Meyer-Oseas, 
and Miyaguchi-Preneel constructions. We therefore have many secure compres- 
sion functions in hand whose chaining variable is the same size as the block size. 
However, a hash function built on a compression function with n bits of output 
can only offer a security level of at most 2"/ 2 operations. Since a security level 
of 2 128 bits is often desired, we need to construct compression functions with 
outputs of at least 256 bits, a requirement that cannot be immediately met by 
the standardised block ciphers in hand. 

Our difficulties begin, therefore, when we try to build secure compression func- 
tions whose output size is greater than the block size of the underlying block 
cipher. This is not a new problem and there has been mixed success in con- 
structing 2n-bit hash functions from an n-bit block cipher [4,5,14,19,21,33,35]. 
While limitations have been identified in many constructions [14], Hirose [10] has 
demonstrated the security of a family of double block-length hash functions us- 
ing two independent block ciphers with key length twice the block length. This is 
a property shared by AES-256 [29] and IDEA [20] among others with a particular 
instance of this construction being the long-standing ABREAST-DM [19]. 

While the case of block ciphers provided the initial motivation for our work, 
our results are essentially about compression functions. In this paper we explore 
the problem of combining compression functions that we know to be secure. 
These smaller compression functions can be of any type — dedicated, number 
theoretic, block cipher-based — and our aim is to build a secure compression 
function with a longer chaining variable. Thus the results are broader than block 
cipher-based hashing, though this is where there is an immediate, practical, and 
at times surprising, impact. The paper is organised as follows. In Section 2 we 
establish the framework and we make some initial observations in Section 3. After 
discussing some generic attacks in Section 4, we derive criteria for combining 
compression functions in Section 5 and demonstrate a range of impossibility 
results and potential constructions in Section 6. We then draw our conclusions 
and highlight opportunities for future work. 

2 Notation and Model 

In this paper we consider building larger compression functions from smaller 
trusted ones. We will assume that the underlying secure compression functions 
have k inputs of n bits and that the output is n bits in length. Details on the 
construction of secure compression functions will not be important to our results. 
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However, in the specific case of a block cipher with equal key and block size we 
have k = 2, while for a key size twice the block size we have k = 3. We could also 
use a compression function based on a tweaked block cipher [3,23] or a dedicated 
design (if we were willing to claim their security as secure compression functions) 
and we might then have k > 3 depending on the sizes of the chaining variable 
and message input. This flexible approach was pursued by Knudsen and Preneel 
in a series of papers [16,17,18]. 

This work is not a proof oriented paper, so we follow [18]: a collision resis- 
tant hash function or compression function outputing n bits is called ideal if 
the best algorithm to find a collision is a brute-force collision search; such an 
attack requires on average <9(2 n / 2 ) evaluations of the hash function. Similarly, a 
preimage (resp. 2" d -preimage) resistant hash function or compression function 
with n-bit output is called ideal if the best algorithm to find a preimage (resp. 
2 nd -preimage) is a brute-force preimage (resp. 2 nd -preimage) search; such an 
attack requires on average <9(2") evaluations of the hash function. 



Fig. 1 . The compression function h built from I. compression functions / (,) each taking 
k inputs of n bits and delivering an n-bit output, m stands for message and cv for 
chaining variable. 


In our constructions we will use t ideal n-bit compression functions to con- 
struct a secure compression function h that compresses ( m + c)n bits to cn bits. 
One important aspect to what follows in this paper is that we require the t in- 
ternal ideal compression functions to act independently. Exactly how these are 
instantiated is outside the scope of this paper, but it is an important issue in 
practice. It is, however, an issue that has been addressed before and, under the 
assumption that the underlying block cipher is good, we can enforce indepen- 
dence of the fundamental compression functions by fixing bits of the underlying 
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“keys” to distinct values [18] or by using constants [11] to diversify the “keys” 
used in the compression function. 

We will describe the inputs (resp. outputs) to the internal component compres- 
sion functions as internal inputs (resp. internal outputs). These are distinguished 
from the external inputs and external outputs to the larger compression function 
h that we are trying to build. The m + c inputs to h, each of n bits, will be 
denoted by . . ., h™ An , fe| v in , . . ., /i f c ; v ' ln and we denote the c n-bit output 

blocks by . . ., h‘) VAmt . 

The internal inputs will be derived as a linear combination of the external 
inputs to h, and we will derive the output from h as a linear combination of the 
internal outputs from the t ideal compression functions. Thus, the kt inputs to 
the internal compression functions (1 <i<t and 1 < j < k) will be linear 
functions of the external inputs and for each compression function /W we have 

: = Ai ■ ..., /C in , hl vin , ..., hl vin ) T . 

fi?) 

where Ai is a (k ■ n x (to + c) • n) binary matrix, consisting of (n x n) blocks 
which are either zero or the identity matrix, corresponding to the compression 
function /M. Taken together, such matrices define a mixing layer among the 
inputs to the t compression functions and we call this the input layer. Similarly, 
the external outputs from h are any linear combination of the t compression 
function outputs. This is the output layer and for the external outputs h? v out 
(1 < i < c) we have 

j =B(/W,...,/«). 

where B is a (c-n x t-n) binary matrix, consisting of (n x n) blocks which are either 
zero or the identity matrix. This is illustrated in Figure 1. Note that we allow 
the possibility of a feedforward of the external inputs around the compression 
functions. We actually ignore this feature in the remainder of the paper, since 
we observe that incorporating a feedforward according to Figure 1 does not help 
prevent the attacks we consider in this paper. 

We also recall the established fact [19,25] that 

“...applying any simple (in both directions) invertible transformation 
to the input and to the output of the hash round function yields a new 
hash round function with the same security as the original one. ” 

We accept that such invertible transformations may well be applied to the ex- 
ternal inputs and outputs of h before the input layer and after the output layer. 
But since they can have no cryptanalytic effect we ignore them. 

Finally, we emphasize that we have restricted ourselves to parallel construc- 
tions where we compute as a linear combination of the external inputs. This 


ftf- 
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is a natural limitation that encompasses most previously established schemes 
and offers obvious performance benefits in hardware implementation. We also 
note that the structural observations of Joux [12], Dean [8], and Kelsey and 
Schneier [13], do not relate to the task of building a larger compression function 
from a layer of parallel compression functions, but only to the usual Merkle- 
Damgard iteration of the final compression function that results. 

3 First Observations 

Our model for combining compression functions is both natural and powerful. 
To illustrate we might consider some of the more prominent block cipher-based 
compression functions, and Appendix A shows how the compression function of 
MDC-2 fits our framework with parameters c = 2. t = 2. k = 2, and m = 1 (the 
two internal compression functions being Matyas-Meyer-Oseas constructions), 
while the schemes proposed by Nandi et al. [28] have (c, t, k, m) parameter sets 
(2,3,2, 1) and (2, 3, 3, 2). Other schemes with appropriate parameters are pro- 
vided below. 


Name 

c 

t 

k 

m 

Cryptanalysis 

mdc-2 

'51 

2 

2 

2 

i 


32 


PBGV 

33 

2 

2 

2 

2 


19 


ABREAST-DM 

19 

2 

2 

3 

1 


PARALLEL-DM 

21 

2 

2 

2 

2 

U4| 

Hirose family 

10 

2 

2 

3 

1 


Nandi et al. Ni 

28 

2 

3 

2 

1 


15 


Nandi et al. N 2 

28 

2 

3 

3 

2 


15 



Like other compression function-based work, we cover instances where the 
underlying block cipher has different block and key lengths. However, unlike 
many previous constructions, we consider using t internal compression functions 
to derive c blocks of output with t > c. This allows us to make a fundamental 
distinction between previous work and that presented in this paper. 

We identify the size of the output chaining variable that is required, and hence 
the number of output blocks c. Then, by considering established attacks, we 
achieve bounds on t that give us the minimum number of compression functions 
required to achieve the desired security level. We achieve this by a suitable anal- 
ysis of the output layer. Our goal is to derive schemes that offer an optimal level 
of security of 2 nc work effort for preimage attacks and 2~ for collision attacks. 
This nicely complements the work of Knudsen and Preneel [16,17,18], where the 
security of potentially non-optimal constructions is analysed via consideration 
of the input layer. 

First, we observe the following series of implications. Given a set of param- 
eters (c, t, k. m) for some construction, we use (c, t, k,m) e S to denote that a 
construction with ideal collision resistance with these parameters exists and we 
use ( c,t,k,m ) g S to denote the fact that no such scheme can exist for this 
parameter set. 
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Implications 1. Given c, t, k, and m all >1, we have the following four sets 
of pairwise equivalent implications: 


(c, t, k, to) ^ S => (c, t, k, to + 1) ^ S 
(c, t,k,m) G S => (c,t,k + l,m) G S 
(c, t, k, to) € S' =t- (c, t + 1, k, to) e S' 
(c, i, k, to) ^ S' => (c + 1, t, k,m) £ S 


(c, t, k, m + 1) G S => (c, i, k,m) G S 
(c, t, k + 1 , to) ^ S' => (c, i, k,m) ^ S 
(c, t + 1, fc, rn) ^ S' => (c, t, k,m) ^ S 
(c+l,t,k,m) G S => (c, i, k, to) e S'. 


Justification: Suppose that there exists a secure design with parameter set 
( c,t,k,m ). If we replace one message block by a constant then we still have a 
secure scheme. Thus the first implications are true. If we can use one additional 
input for every inner compression function, then we can use them so that none 
has any influence over the output. Thus, the second set of implications are true. 
If we have an additional compression function, we can still build a secure scheme 
by simply ignoring it. Thus the third set of implications is true. The final im- 
plications reflect the natural conjecture that constructing an ideal compression 
function of output size c + 1 blocks is harder than constructing an ideal com- 
pression function of output size c blocks. □ 

The above implications are simple but useful. For MDC-2 the corresponding pa- 
rameter set is (2, 2, 2, 1); a double block-length construction using two compres- 
sion functions, each taking two equal-sized inputs (key and message) and process- 
ing one message block at each iteration. As shown in Section 4, (2, 2, 2, 1) S. 
Yet, there has been much effort in building schemes with a better rate, i.e. hash- 
ing more than one message at each iteration, for which one corresponding param- 
eter set would be (2, 2, 2, 2). But we have that (2, 2, 2,1) ^ S => (2, 2, 2, 2) ^ S 
and such efforts cannot succeed 1 . 


4 Generic Attacks 

In this section we consider two attacks that have been used in the literature. By 
generalising these attacks we are able to make statements about the impossibility 
of certain constructions. More importantly, we extract criteria for the successful 
design of a compression function with an intended level of security. 

4.1 Attack Method: DF 

The first generic attack depends on what we term the number of degrees of 
freedom. It resembles the classic divide-and-conquer strategy from other crypt- 
analytic fields and can be applied to many proposals. The idea is to isolate, and 
attack, a linear combination of the output blocks but to keep at least one external 
input block free from conditions. Then, the free input can be determined sepa- 
rately at the end of the attack. Attacks on MDC-2 provide a good example [32] 

1 To avoid any confusion we emphasize that the double block-length construction of 
Hirose [10] has parameter set (2, 3, 2, 1) since it uses a block cipher with a key that 
is twice the block size. 
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and an equivalent representation of MDC-2 is provided in Figure 3. To find a 
preimage, one can attack the two branches independently. Finding a preimage 
for one branch will fix two inputs to the overall compression function and since 
we have three external inputs M, Hi, and #2 there remains one external input 
free, i.e. one degree of freedom. Thus, we can independently use the free input 
to obtain a preimage for the other branch by brute force. The attack has work 
effort proportional to 2" operations instead of the intended 2 2n . A collision at- 
tack works in a corresponding way. Consideration of this attack gives some of 
the bounds in [16,17,18]. We use it again here. 

4.2 Attack Method: MUL 

The second attack uses multi-collisions and multi-preimages and is described 
in [36,15]. Similar considerations were used in a different way in [18]. For the 
attack to be successful, the compression function must satisfy several structural 
conditions. First, the attacker identifies a linear combination Z of the external 
outputs of h that depends on a non-empty set Gz of compression functions 
{/W}. Next, the attacker identifies two external input blocks X and Y. The 
external input X should influence the internal inputs to a subset Gx of the 
compression functions in Gz- Similarly the external input block Y should influ- 
ence the internal inputs to a subset, Gy, of the compression functions in Gz- It 
is important to identify X and Y (and hence Gx and G Y ) so that G x n Gy = 0. 

We now describe the attack in terms of finding preimages. The attacker fixes 
values to all the external input blocks except the previously identified inputs X 
and Y. Then, each value of X (resp. Y) is used to generate an internal output 
value for each / (l) in Gx (resp. Gy)- Thus, the attacker effectively compiles two 
lists Lx and L Y each containing 2” elements where, for every possible value of 
X and Y, all the internal outputs of the set of {/W} in G x and Gy are stored. 
Using Wagner’s technique [38] these two lists can be joined in 2 n operations to 
obtain a third list L z that contains all {X, Y) (with X e L x and Y e Ly) 
yielding the target image for the external output block. Since L x and L Y both 
have almost 2 n elements, we expect L z to contain almost 2" elements. 

At this stage we have found 2" preimages to one external output block at 
a cost proportional to 2 n operations. If h has c output blocks, then an entry 
in the list L z will give a good preimage for all c external output blocks with a 
probability of 2~ < - c ~ 1 ' )n . Thus, we repeat this procedure for 2 (c - 2 ) n allocations 
of the m + c — 2 input variables distinct from x and y in order to find a valid 
preimage with a probability close to 1. The attack requires 2 ( ' c ~ r >' n operations 
instead of 2 G " in the ideal case. The collision attack works in a similar fashion. 

5 Security Criteria 

The compression function h that we wish to build takes to + c external input 
blocks and each internal compression function /W takes k internal input blocks, 
defined by input matrices A- Since we can apply any invertible transformation 
to the inputs of h, the important criteria for the input layer is the dimension 
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of the vector space generated by columns of the matrices Ai. This is already 
explored in existing work [14]. Considering the results in Section 4, we can make 
the following observations. 

- To prevent attack DF, every external output block hf' out must depend on 
all external input blocks h“ in , . . h ™ 111 , hf' in , . . h^ v in no matter which 
invertible transformations of the external inputs and outputs are used. 

- We say that an identified pair of external input blocks is a pair (A, B) where 
A and B both appear within the internal inputs to some f (l> . (For example, 
with /W(A, B®C), the identified pairs {A, B), ( A , C), and (B, C) appear in 
/W.) Then, in order to prevent attack MUL, every possible pair of external in- 
put blocks must appear as an identified pair for every invertible combination 
of external output blocks hf r out . This applies, no matter which invertible 
transformations of the external inputs and outputs are used. 

We now consider the secure combination of independent compression functions. 

5.1 Deriving Valid Parameter Sets 

Rather than using the identified attacks and their generalisations to break spe- 
cific proposals, we use them to derive general lower bounds on the number of 
smaller ideal compression functions needed to derive a larger ideal compres- 
sion function. More precisely, for a set of fc-input secure compression functions, 
i.e. compressing kn to n bits, we ascertain the minimum number t m i n of com- 
pression functions required to build a secure compression function producing cn 
bits, since they must resist df and mul attacks. To do this, we adopt a two-phase 
approach. First we establish a bound d on the number of compression functions 
we require when considering any single linear combination of the c output blocks. 
We then derive a bound on the minimum number of compression functions 
that are required when simultaneously considering all c output blocks in the 
chaining variable (see Table 1). 

Initial bounds on d. First, we consider attack df and we observe that since 
each compression function takes k input blocks, and that there are m+c external 
input blocks to h , then we must have at least |~ compression functions. Thus, 
every external output block depends on at least internal output blocks. 

This is required for every linear combination of the external outputs and so we 
have d > 

Improved bounds on d. By considering attack df we can derive the basic bounds 
on d given above. However a generic analysis allows us to improve on this bound by 
ensuring that a proposed configuration of compression functions also resists attack 
MUL. While the style of analysis is generic and can be reused for different parameter 
sets, it is most easily described by reference to one particular instance. 

Suppose that we consider the parameter set given by m + c = 3 and k = 2 
with A, B. and C denoting the three n-bit inputs to the compression function. 
Our basic bound gives d > 2, so here we assume that d = 2. Suppose that an 
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Table 1. The minimum number t m i n of compression functions required to resist df 
and mul attacks, for parameter set (c, t m in,k,m) 


| Parameters 

Basic Bounds 

Improved \ 

C 

k 

TO 

d 

tmin 

d 

tmin 

2 

2 

1 

2 

3 

3 

5 

2 

2 

2 

2 

3 

3 

5 

2 

3 

1 

1 

2 



2 

3 

2 

2 

3 

3 

5 

3 

2 

1 

2 

4 

3 

6 

3 

2 

2 

3 

6 

4 

7 

3 

3 

1 

2 

4 

3 

6 

3 

3 

2 

2 

4 

3 

6 

4 

2 

1 

3 

7 

4 

8 

4 

2 

2 

3 

7 

4 

8 

4 

3 

1 

2 

5 

3 

7 

4 

3 

2 

2 

5 

3 

7 


external output block /i® v out , or more generally a linear combination Z of one 
or more output blocks, is bound to only two compression functions /i and f 2 . 
Then we have that Z = fi(X 1 ,X 2 ) © f 2 (X 3 , X 4 ) where X u X 2 , X 3 , and X 4 are 
linear combinations of A, B. and C. 

The rank of the vector space (X\,X 2 , X 3 . X 4 ) spanned by X 4 . . . X 4 must be 
equal to three since otherwise attack df would apply. Therefore, one can extract 
from {Xi,X 2 ,X 3 ,X 4 ) three elements which together form a basis of ( A,B,C ). 
Without loss of generality, we assume that (X 4 , X 2 ,X 3 ) = (A,B,C) and there 
exist binary coefficients a* so that X 4 = a 4 A © a 2 B © a 3 C. We cannot have 
ol\ or a 2 equal to zero, since otherwise the pairs (A, C) and ( B,C ) would not 
be encountered in either /i or f 2 and the attack MUL would apply. So we can 
assume without loss of generality, that u\ = 1 and a 2 = 1. If we now apply 
the invertible change of variables Al = A © B, B' = B. and C' = C, Z can 
be rewritten as Z = fi(A' © B',B') © f 2 (C',A' © a 3 C'). Since ( B',G '): is not 
encountered in either /i or f 2 , then the attack MUL applies. Thus d > 3. Note 
that such reasoning also applies when to + c > 3, thus if to + c > 3 and k = 2 
we have d > 3. 

This style of reasoning allows us to improve most of the bounds on d by 
considering the applicability of the second generic attack mul. The sole exception 
is the parameter set c = 2, k = 3, and to = 1 which corresponds to the provably 
secure scheme of Hirose and will be discused in Section 6.2. 

Initial bounds on t. We now turn bounds on d into bounds on the minimum 
number of compression functions that must be used, t mill . While any linear com- 
bination of the c external outputs must depend on at least d inner compression 
functions, a bound on the minimal number f m ; n of compression functions is not 
immediate. Here we derive a value for t independently of the analysis needed to 
derive d. 
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In the simple case that c = 2 a combinatorial style of reasoning can be used 
and this shows that f mm > ^ if d is even and dm,, > 3( - d ~^ + 2 otherwise. 
However a more flexible approach, scaling better to larger parameters, uses an 
analogy with coding theory. 

Consider vectors of t elements (corresponding to the number of internal com- 
pression functions) and attach to each external output block hf out a vector v t 
whose value is determined by whether an internal compression function influ- 
ences h^ v out . If compression function f (j) is active in /j? v - out then set the j th 
entry of Vi to 1, otherwise it has the value 0. For example, if t = 3 and for 
some proposed construction only f (1> and f (3) are involved in /i^ v out , then we 
set Vi = (1,0, 1). 

In turning our result on d into a constraint on f m i n , we consider the problem 
of looking for a binary code of length t with minimal distance d and dimension 
c. The Singleton bound yields c<t — d+ 1 and so t > c+d— 1. The Hamming 
bound is tighter, but is more involved and given in Appendix B. 

Improved bounds on t. It is interesting to note that configurations with 
particular features might allow a dedicated, and potentially tighter, analysis 
for the bounds on t. An example is given in Appendix C. However since such 
analysis does not apply to the general model we have established, (it relies on 
a particular form to the input layer), we do not use it in the derivation of the 
bounds in Table 1. 


6 Constructions 

Given a set of parameters ( c,t,k,m ) it is easy to use the newly established 
bounds to check whether, according to our criteria, the scheme is necessarily 
insecure. Turning this around, if one wants to build a scheme with some pre- 
defined c, k. and to then one can compute a lower bound t min on the number 
of internal compression functions that must be used, in a parallel configuration 
that we consider in Figure 1. 

6.1 Impossible Constructions 

Using the bounds established in Section 5 we first consider interesting parameter 
sets such as c £ {2,3,4}, k £ {2,3}, and to £ {1,2}. These correspond to cases 
where we aim to obtain double, triple, or quadruple block-length constructions, 
using a block cipher with key size the same or twice the block size, and processing 
either one or two blocks of message. 

We use the bounds on d and once c, k, and to are chosen we search for 
the smallest t that satisfy our bounds. We thus derive an integer t m in for the 
minimum number of independent compression functions that must be used in the 
specified construction. Note that a given t min does not mean that secure schemes 
with t m i n inner compression functions necessarily exist. Rather, no secure scheme 
can exist with fewer independent compression functions of the stated type. 
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Immediately there are interesting results and we note that secure schemes with 
( c,t,k,m ) parameters (2, 3, 2,1) or (2, 3, 3, 2) are impossible. These correspond 
to the schemes of Nandi et al. [28]. Since our bounds are derived by generalising 
attacks on [28] we expect this to be the case. However, constructions using four 
inner compression functions, would still be insecure. 

Indeed, for the most natural case with c = 2, k = 2, and m = 1, the case of 
DES and AES-128, one must use at least five inner compression functions in a 
parallel framework to obtain a secure hash function offering 64-bit and 128-bit 
security respectively. This is more than one might have expected. The case of a 
quadruple block-length output is even more dramatic. If one wished to design a 
compression function that used AES- 128 as a building block but offered 256-bit 
security, then one would be required to use at least eight parallel instantiations 
of AES- 128 to produce a secure compression function. 

6.2 Proposed Constructions 

Figure 2 shows a (2, 5, 2, l)-scheme that is secure against the attacks consid- 
ered in this paper. Further research will determine whether other attacks apply. 
However, this scheme is one from a range of double block-length hash function 



H\ H'i 



H[ m 


Fig. 2. A (2, 5, 2, 1) and a (2, 5, 3, 2) construction. For the first cosntruction each (in- 
dependent) inner compression function can be instantiated using a block cipher with 
equal key and block size. For the second construction, the key size is double the block 
size. Mi, M 2 are n-bit message blocks; H 1, H 2 are n-bit incoming chaining variable 
blocks and H[, H' 2 are n-bit output chaining variable blocks. 
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constructions that might be instantiated with AES- 128 or other block ciphers 
with identical block and key sizes. Note that this is the only such construction 
that remains uncompromised. Figure 2 also depicts a (2, 5, 3, 2)-construction that 
resists our generic attacks, meets our bound, and could be instantiated with AES- 
256 or a cipher like idea (or even two-key triple-des) with a key length twice 
the block length. The parameter set (2, 2, 3, 1) is covered by Hirose. 

A particularly simple set of parameters satisfies k > m + c when all exter- 
nal inputs can be accommodated within each internal compression function and 
d = 1. Thus, we derive a secure compression function with t = c without re- 
quiring additional internal compression functions. We only need to ensure that 
all external input blocks are used directly in every internal compression func- 
tion with any free internal inputs fixed to a constant value. Then every external 
output needs to be bound to one, and only one, internal compression function. 
Hirose [10] has already studied members of this family of block cipher based 
hash functions and proved their security in both the random oracle model and 
in the ideal cipher model when the compression functions are instantiated using 
a Davies-Meyer construction. 

7 Conclusions 

In this paper we have analyzed techniques to construct a larger compression 
function by combining smaller, trusted, compression functions. By generalising 
attacks in the literature, we are able to establish conditions on the type and 
number of components that are required to ensure that the constructions are 
not vulnerable to a range of powerful and general attacks. 

This work has a direct and immediate application to the construction of block 
cipher-based hash functions for which the length of the hash output is greater 
than the block size of the underlying block cipher. The most important conclu- 
sion to draw is that it is actually rather difficult to use multiple instantiations 
of a block cipher to build a secure compression function; or at least to do so in 
a particularly efficient way. For example, when using AES- 128 for double block- 
length hashing, one must use at least five parallel instantiations of AES- 128 to 
derive a compression function offering 128-bit security respectively. To achieve 
256-bit security, one must use eight. This is a surprisingly high number of block 
cipher calls, particularly so when we consider that this is merely to avoid the 
application of generic attacks. 

While there are many possible generalisations to the framework used in this 
paper, we have provided a natural and broad framework for the analysis of 
schemes of this type. Extensions to this work, including identifying schemes that 
achieve the most efficient permissible bounds, is the subject of ongoing research. 

Acknowledgements 

The authors would like to thank Sebastien Kunz-Jacques, Yannick Seurin, and 
the progam committee for their valuable comments. 



Combining Compression Functions 327 


References 

1. M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for De- 
signing Efficient Protocols. In ACM Conference on Computer and Communications 
Security, pages 62-73. 1993. 

2. J. Black, P. Rogaway, and T. Shrimpton. Black-Box Analysis of the Block-Cipher- 
Based Hash-Function Constructions from PGV. In M. Yung, editor, Advances in 
Cryptology - CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, 
pages 320-335. Springer- Verlag, 2002. 

3. J. Black, M. Cochran, and T. Shrimpton. On the Impossibility of Highly-Efhcient 
Blockcipher-Based Hash Functions. In R. Cramer, editor, Advances in Cryptology 
- EUROCRYPT ’05, volume 3494 of Lecture Notes in Computer Science, pages 
526-541. Springer- Verlag, 2005. 

4. L. Brown, J. Pieprzyk, and J. Seberry. LOKI - a Cryptographic Primitive for Au- 
thentication and Secrecy Applications. In J. Pieprzyk and J. Seberry, editors, Ad- 
vances in Cryptology - A USCRYPT ’90, volume 453 of Lecture Notes in Computer 
Science, pages 229-236. Springer- Verlag, 1990. 

5. D. Coppersmith, S. Pilpel, C.H. Meyer, S.M. Matyas, M.M. Hyden, J. Oseas, 
B. Brachtl, and M. Schilling. Data Authentication Using Modification Dectection 
Codes Based on a Public One Way Encryption Function. U.S. Patent No. 4,908,861, 
March 13, 1990. 

6. J-S. Coron, Y. Dodis, C. Malinaud, and P. Puniya. Merkle-Damgard Revisited: 
How to Construct a Hash Function. In V. Shoup, editor, Advances in Cryptology - 
CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 430-448. 
Springer- Verlag, 2005. 

7. I. Damgard. A Design Principle for Hash Functions. In G. Brassard, editor, Ad- 
vances in Cryptology - CRYPTO ’89, volume 435 of Lecture Notes in Computer 
Science, pages 416-427. Springer- Verlag, 1989. 

8. R.D. Dean. Formal Aspects of Mobile Code Security. PhD thesis, Princeton Uni- 
versity, 1999. 

9. H. Handschuh, L.R. Knudsen, and M.J.B. Robshaw. Analysis of SHA-1 in Encryp- 
tion Mode. In D. Naccache, editor, Topics in Cryptology - CT-RSA 2001, volume 
2020 of Lecture Notes in Computer Science, pages 70-83. Springer- Verlag, 2001. 

10. S. Hirose. Provably Secure Double-block-length Hash Functions in a Black-box 
Model. In C. Park and S. Chee, editors, Information Security and Cryptology - 
ICISC 2004, volume 3506 of Lecture Notes in Computer Science, pages 330-342. 
Springer- Verlag, 2004. 

11. S. Hirose. Some Plausible Constructions of Double-Block-Length Hash Functions. 
In M.J.B. Robshaw, editor, Fast Software Encryption - FSE 2006, volume 4047 of 
Lecture Notes in Computer Science. 

12. A. Joux. Multi-collisions in Iterated Hash Functions. Application to Cascaded Con- 
structions. In M. Franklin, editor, Advances in Cryptology - CRYPTO 2004, vol- 
ume 3152 of Lecture Notes in Computer Science, pages 306-316. Springer- Verlag, 
2004. 

13. J. Kelsey and B. Schneier. Second Preimages on n-bit Hash Functions for Much 
Less Than 2 n Work. In R. Cramer, editor, Advances in Cryptology - EURO- 
CRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 474-490. 
Springer- Verlag, 2005. 



328 


T. Peyrin et al. 


14. L.R. Knudsen and X. Lai. New Attacks on All Double Block Length Hash Functions 
of Hash Rate 1, Including the Parallel-DM. In A. De Santis, editor, Advances in 
Cryptology - EUROCRYPT ’94, volume 950 of Lecture Notes in Computer Science , 
pages 410-418. Springer- Verlag, 1994. 

15. L.R. Knudsen and F. Muller. Some Attacks Against a Double Length Hash Pro- 
posal. In B. Roy, editor, Advances in Cryptology - ASIACRYPT ’05, volume 3788 
of Lecture Notes in Computer Science, pages 462-473. Springer- Verlag, 2005. 

16. L.R. Knudsen and B. Preneel. Hash Functions Based on Block Ciphers and Qua- 
ternary Codes. In K. Kim and T. Matsumoto, editors, Advances in Cryptology - 
ASIACRYPT ’96, volume 1163 of Lecture Notes in Computer Science, pages 77-90. 
Springer- Verlag, 1996. 

17. L.R. Knudsen and B. Preneel. Fast and Secure Hashing Based on Codes. In 
B.S. Kaliski Jr., editor, Advances in Cryptology - CRYPTO ’97, volume 1294 of 
Lecture Notes in Computer Science, pages 485-498. Springer- Verlag, 1997. 

18. L.R. Knudsen and B. Preneel. Construction of Secure and Fast Hash Functions Us- 
ing Nonbinary Error-Correcting Codes. IEEE Transactions on Information Theory, 
48(9):2524-2539, 2002. 

19. X. Lai and J.L. Massey. Hash Functions Based on Block Ciphers. In R. A. Rueppel, 
editor, Advances in Cryptology - EUROCRYPT ’92, volume 658 of Lecture Notes 
in Computer Science, pages 55-70. Springer- Verlag, 1992. 

20. X. Lai, J.L. Massey, and S. Murphy. Markov Ciphers and Differential Cryptanaly- 
sis. In D.W. Davies, editor, Advances in Cryptology - EUROCRYPT ’91, volume 
547 of Lecture Notes in Computer Science, pages 17-38. Springer- Verlag, 1991. 

21. X. Lai, C. Waldvogel, W. Hohl, and T. Meier. Security of Iterated Hash Func- 
tions Based on Block Ciphers. In D.R. Stinson, editor, Advances in Cryptology - 
CRYPTO ’93, volume 773 of Lecture Notes in Computer Science, pages 379-390. 
Springer- Verlag, 1993. 

22. S. Lucks. A Failure- Friendly Design Principle for Hash Functions. In B. Roy, editor, 
Advances in Cryptology - ASIACRYPT 2005, volume 3788 of Lecture Notes in 
Computer Science, pages 474-494. Springer- Verlag, 2005. 

23. M. Liskov, R.L. Rivest, and D. Wagner. Tweakable Block Ciphers. In M. Yung, 
editor, Advances in Cryptology - CRYPTO ’02, volume 2442 of Lecture Notes in 
Computer Science, pages 31-46. Springer- Verlag, 2002. 

24. R. Matsumoto, K. Kurosawa, and T. Itoh. Primal-Dual Distance Bounds of Linear 
Codes with Application to Cryptography. IACR Cryptology ePrint Archive, Report 
2005/194. Available from: http://eprint.iacr.org. 

25. W. Meier and O. Staffelbach. Nonlinearity Criteria for Cryptographic Functions. 
In J.-J. Quisquater and J. Vandewalle, editors, Advances in Cryptology - EURO- 
CRYPT ’89, volume 434 of Lecture Notes in Computer Science, pages 549-562. 
Springer- Verlag, 1989. 

26. A.J. Menezes, S.A. Vanstone, and P.C. Van Oorschot. Handbook of Applied Cryp- 
tography. CRC Press, Inc., Boca Raton, FL, USA, 1996. 

27. R.C. Merkle. One Way Hash Functions and DES. In G. Brassard, editor, Advances 
in Cryptology - CRYPTO ’89, volume 435 of Lecture Notes in Computer Science , 
pages 428-446. Springer- Verlag, 1989. 

28. M. Nandi, W. Lee, K. Sakurai, and S. Lee. Security Analysis of a 2/3-rate Double 
Length Compression Function in Black-box Model. In H. Gilbert and H. Hand- 
schuh, editors, Fast Software Encryption - FSE 2005, volume 3557 of Lecture Notes 
in Computer Science, pages 243-254. Springer- Verlag, 2005. 

29. National Institute of Standards and Technology. FIPS 197: Advanced Encryption 
Standard, November 2001 . Available from: http://csrc.nist.gov. 



Combining Compression Functions 329 


30. National Institute of Standards and Technology. FIPS 180-2: Secure Hash Stan- 
dard, August 2002 . Available from: http://csrc.nist.gov. 

31. National Insitute of Standards and Technology. SP800-67: Recommendation for 
the Triple Data Encryption Algorithm (TDEA) Block Cipher, May 2004 . Available 
from: http://csrc.nist.gov. 

32. B. Preneel. Analysis and Design of Cryptographic Hash Functions. PhD thesis, 
Katholieke Universiteit Leuven, 1993. 

33. B. Preneel, A. Bosselaers, R. Govaerts, and J. Vandewalle. Collision-free Hash 
Functions Based on Block Cipher Algorithms. In Proceedings 1989 International 
Carnahan Conference on Security Technology (Oct 3-5 1989: Zurich, Switzerland), 
pages 203-210. IEEE, 1989. IEEE catalog number 89CH2774-8. 

34. B. Preneel, R. Govaerts, and J. Vandewalle. Hash Functions Based on Block Ci- 
phers: A Synthetic Approach. In D.R. Stinson, editor, Advances in Cryptology - 
CRYPTO ’93, volume 773 of Lecture Notes in Computer Science, pages 368-378. 
Springer- Verlag, 1993. 

35. J.-J. Quisquater and M. Girault. 2n-bit Hash-functions Using n-bit Symmetric 
Block Cipher Algorithms. In J.-J. Quisquater and J. Vandewalle, editors, Advances 
in Cryptology - EUROCRYPT ’89, volume 434 of Lecture Notes in Computer 
Science, pages 102-109. Springer- Verlag, 1989. 

36. B. Preneel, R. Govaerts, and J. Vandewalle. On the Power of Memory in the Design 
of Collision Resistant Hash Functions. In J. Seberry and Y. Zheng, editors, Ad- 
vances in Cryptology - ASIACRYPT ’92, volume 718 of Lecture Notes in Computer 
Science, pages 105-121. Springer- Verlag, 1992. 

37. Ronald L. Rivest. RFC 1321: The MD5 Message-Digest Algorithm, April 1992 . 
Available from: http://www.ietf.org/rfc/rfcl321.txt. 

38. D. Wagner. A Generalized Birthday Problem. In M. Yung, editor, Advances in 
Cryptology - CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, 
pages 288-303. Springer- Verlag, 2002. 

39. X. Wang and H. Yu. How to Break MD5 and Other Hash Functions. In R. Cramer, 
editor, Advances in Cryptology - EUROCRYPT 2005, volume 3494 of Lecture Notes 
in Computer Science, pages 19-35. Springer- Verlag, 2005. 

40. X. Wang, Y.L. Yin, and H. Yu. Finding Collisions in the Rill SHA-1. In V. Shoup, 
editor, Advances in Cryptology - CRYPTO 2005, volume 3621 of Lecture Notes in 
Computer Science, pages 17-36. Springer- Verlag, 2005. 



330 


T. Peyrin et al. 


Appendix A: Some Established Constructions 


Mi 


Hi 




Fig. 3. Mapping the compression functions of MDC-2 and Nandi et al. to our frame- 
work. Recall that simple invertible transformations such as a swap can be ignored [19]. 
Mi, M 2 are n-bit message blocks; Hi, H 2 are n-bit incoming chaining variable blocks 
and H [ , H 2 are n-bit output chaining variable blocks. 


Appendix B: The Hamming Bound 

While it is more difficult to exploit, the Hamming bound is tighter than the 
Singleton bound. Here we give an improved version of the Hamming 
bound [24]: 

! c<t — log 2 0 (*)) if d is odd, and 

c<t- log 2 ((|L\) + E?= o 1 (D) if d is even - 

This can be used to give a bound on t in terms of c and d. The table below allows 
us to compare the Singleton and the Hamming bound for some parameter sets 
used in Table 1. 
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| Parameters 

Bounds || 

c 

d 

Singleton 

Hamming 

2 

1 

r 2 

2 

2 

2 

3 

3 

2 
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3 

2 
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3 

3 

5 

6 

3 

4 

6 

7 

4 

2 

5 

5 

4 

3 

6 

7 

4 

4 

7 
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Appendix C: Preferred Bounds on t in a Restricted Model 

While the bounds derived in this appendix do not apply to the general model, 
it is interesting to see what can be achieved with some minor restrictions to the 
general framework. Here we consider the impact of a simplified input layer and 
we assume that each of the kt internal inputs is one of the m + c external inputs. 
This is far more restrictive than the general case of a linear combination of the 
external inputs and so it is not surprising that we can derive better bounds. 

From the previous analysis we know that every possible pair of external inputs 
must be present in at least one of the internal compression functions involved in 
any linear combination of the external output blocks. We have Nc = (m + c) ■ 
(m + c— l)/2 different pairs. In each internal compression function, we can have 
at most Nk = k-(k— 1)/2 pairs present. Each of the N c pairs must appear in at 
least c different internal compression functions since otherwise there would exist 
a linear combination of the external outputs which would involve none of these 
internal compression functions and attack mul would apply. We thus have: 

^ c- (m+ c) ■ (m + c — 1) 

“ k-(k-l) ' 

This reasoning can also be applied to attack df since we have at most m+c 
different vectors as input to the internal compression functions. Each external 
input block must appear in at least c different internal compression functions, 
otherwise some linear combinations of the external outputs would not depend 
on this external input block. We can put k blocks in one inner function and thus 
we have: 

t > c- (m + c) 


These bounds are often much better than the general case and illustate the 
importance of the input layer. A weak input layer can dramatically increase the 
minimum number of compression functions required for a secure construction. 
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Abstract. This paper presents a secure constant-round password-based 
group key exchange protocol in the common reference string model. Our 
protocol is based on the group key exchange protocol by Burmester and 
Desmedt and on the 2-party password-based authenticated protocols by 
Gennaro and Lindell, and by Katz, Ostrovsky, and Yung. The proof of 
security is in the standard model and based on the notion of smooth pro- 
jective hash functions. As a result, it can be instantiated under various 
computational assumptions, such as decisional Difhe-Hellman, quadratic 
residuosity, and A-residuosity. 
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1 Introduction 

Key exchange is one of the most useful tools in public-key cryptography, allow- 
ing users to establish a common secret which they can then use in applications 
to achieve both privacy and authenticity. Among the examples of key exchange 
protocols, the most classical one is the Difhe-Hellman protocol [22]. Unfortu- 
nately, the latter only works between two players and does not provide any 
authentication of the players. 

Group Key Exchange. Group key exchange protocols are designed to provide 
a pool of players communicating over an open network with a shared secret key 
which may later be used to achieve cryptographic goals like multicast message 
confidentiality or multicast data integrity. Secure virtual conferences involving 
up to one hundred participants is an example. 

Due to the usefulness of group key exchange protocols, several papers have 
attempted to extend the basic Difhe-Hellman protocol to the group setting. 
Nonetheless, most of these attempts were rather informal or quite inefficient in 
practice for large groups. To make the analyses of such protocols more formal, 
Bresson et al. [11,16] introduced a formal security model for group key exchange 
protocols, in the same vein as [6,7,4]. Moreover, they also proposed new pro- 
tocols, referred to as group Difhe-Hellman protocols, using a ring structure for 
the communication, in which each player has to wait for the message from his 
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predecessor before producing his own. Unfortunately, the nature of their com- 
munication structure makes their protocols quite impractical for large groups 
since the number of rounds of communication is linear in the number of players. 

A more efficient and practical approach to the group key exchange problem 
is the one proposed by Burmester and Desmedt [17,18], in which they provide 
a constant-round Diffie-Hellman variant. Their protocol is both scalable and 
efficient, even for large groups, since it only requires 2 rounds of broadcasts. 
Thus, with reasonable time-out values, one could always quickly decide whether 
or not a protocol has been successfully executed. Furthermore, their protocol 
has also been formally analyzed, in the above security framework [30] . 

Password-Based Authenticated Key Exchange. The most classical way 
to add authentication to key exchange protocols is to sign critical message flows. 
In fact, as shown by Katz and Yung [30] in the context of group key exchange 
protocols, this technique can be made quite general and efficient, converting any 
scheme that is secure against passive adversaries into one that is secure against 
active ones. Unfortunately, such techniques require the use of complex infrastruc- 
tures to handle public keys and certificates. One way to avoid such infrastructures 
is to use passwords for authentication. In the latter case, the pool of players who 
wants to agree on a common secret key only needs to share a low-entropy pass- 
word — a 4-digit pin-code, for example — against which an exhaustive search is 
quite easy to perform. In password-based protocols, it is clear that an outsider 
attacker can always guess a password and attempt to run the protocol. In case of 
failure, he can try again with a different guess. After each failure, the adversary 
can erase one password. Such an attack, known as “on-line exhaustive search” 
cannot be avoided, but the damage it may cause can be mitigated by other means 
such as limiting the number of failed login attempts. A more dangerous threat 
is the “off-line exhaustive search”, also known as “dictionary attack”. It would 
mean that after one failure, or even after a simple eavesdropping, the adversary 
can significantly reduce the number of password candidates. 

In the two-party case, perhaps the most well known Diffie-Hellman variant 
is the encrypted key exchange protocol by Bellovin and Merritt [8]. However, 
its security analyses [4,10,13,14] require ideal models, such as the random ora- 
cle model [5] or the ideal cipher model. The first practical password-based key 
exchange protocol, without random oracles, was proposed by Katz et al. [28] in 
the common reference string model and it is based on the Cramer-Shoup cryp- 
tosystem [19] . Their work was later extended by Gennaro and Lindell [24] using 
the more general smooth projective hash function primitive [19,20,21]. 

In the group key exchange case, very few protocols have been proposed with 
password authentication. In [12,15], Bresson et al. showed how to adapt their 
group Diffie-Hellman protocols to the password-based scenario. However, as the 
original protocols on which they are based, their security analyses require ideal 
models and the total number of rounds is linear in the number of players, making 
their schemes impractical for large groups. More recently, several constant-round 
password-based group key exchange protocols have been proposed in the liter- 
ature by Abdalla et al. [1], by Dutta and Barua [23], and by Kim, Lee, and 
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Lee [31]. All of these constructions are based on the Burmester and Desmedt 
protocol [17,18] and are quite efficient, but their security analyses usually re- 
quire the random oracle and/or the ideal cipher models. 1 Independently of and 
concurrently to our work, a new constant-round password-based group key ex- 
change protocol has been proposed by Bohli et al. [9]. Their protocol is more 
efficient than ours and also enjoys a security proof in the standard model. 
Contributions. In this paper, we propose the first password-based authenti- 
cated group key exchange protocol in the standard model. To achieve this goal, 
we extend the Gennaro-Lindell framework [24] to the group setting, using ideas 
similar to those used in the Burmester-Desmedt protocol [17,18]. In doing so, we 
take advantage of the smooth projective hash function primitive [20] to avoid 
the use of ideal models. Our protocol has several advantages. First, it is efficient 
both in terms of communication, only requiring 5 rounds, and in terms of compu- 
tation, with a per- user computational load that is linear in the size of the group. 
Second, like the Burmester-Desmedt protocol, our protocol is also contributory 
since each member contributes equally to the generation of the common session 
key. Such property, as pointed out by Steiner, Tsudik and Waidner [33], may be 
essential for certain distributed applications. Finally, as in the Gennaro-Lindell 
framework [24], our protocol works in the common reference string model and 
is quite general, being built in a modular way from four cryptographic primi- 
tives: a labeled encryption scheme secure against chosen-ciphertext attacks, a 
signature scheme, a family of smooth projective hash functions, and a family of 
universal hash functions. Thus, it can be instantiated under various computa- 
tional assumptions, such as decisional Diffie-Hellman, quadratic residuosity, and 
iV-residuosity (see [24]). In particular, the Diffie-Hellman variant (based on the 
Cramer-Shoup cryptosystem [19]) can be seen as a generalization of the KOY 
protocol [28] to the group setting. 

2 Security Model 

The security model for password-based group key exchange protocols that we 
present here is the one by Bresson et al. [15], which is based on the model by 
Bellare et al. [4] for 2-party password-based key exchange protocols. 

Protocol participants. Let U denote the set of potential participants in a 
password-based group key exchange protocol. Each participant U eU may be- 
long to several subgroups Q C IA, each of which has a unique password pw g 
associated to it. The password pwg of a subgroup Q is known to all the users 

Ui eg. 

Protocol execution. The interaction between an adversary A and the protocol 
participants only occurs via oracle queries, which model the adversary capabil- 
ities in a real attack. During the execution of the protocol, the adversary may 

1 In fact, in [1], Abdalla et al. showed that the protocols by Dutta and Barua [23] 
and by Kim, Lee, and Lee are insecure by presenting concrete attacks against these 
schemes. 
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create several instances of a participant and several instances of the same par- 
ticipant may be active at any given time. Let denote the instance i of a 
participant U and let b be a bit chosen uniformly at random. The query types 
available to the adversary are as follows: 

• Execute(U^ n \ . . . , Un n> ): This query models passive attacks in which the 
attacker eavesdrops on honest executions among the participant instances 
U < ^ 1 \...,Un n \ It returns the messages that were exchanged during an 
honest execution of the protocol. 

• Send(U^ , to ): This query models an active attack, in which the adversary 
may tamper with the message being sent over the public channel. It returns 
the message that the participant instance would generate upon receipt 
of message to. 

• Reveal (U^): This query models the misuse of session keys by a user. It 
returns the session key held by the instance 

• Test(U^): This query tries to capture the adversary’s ability to tell apart 
a real session key from a random one. It returns the session key for instance 
m if b = 1 or a random key of the same size if b = 0. 

Partnering. Following [30], we define the notion of partnering via session and 
partner identifiers. Let the session identifier sid* of a participant instance be 
a function of all the messages sent and received by as specified by the group 
key exchange protocol. Let the partner identifier pid* of a participant instance 
U™. is the set of all participants with whom wishes to establish a common 
secret key. Two instances and u'f ' 2 ' 1 are said to be partnered if and only if 
pid^ 1 = pid?, 2 and sid^ 1 = sidJ, 2 . 

Freshness. Differently from [30], our definition of freshness does not take into 
account forward security as the latter is out of the scope of the present paper. 
Let acc* be true if an instance U ' 1 ' 1 goes into an accept state after receiving the 
last expected protocol message and false otherwise. We say that an instance 
is fresh if acc' = true and no Reveal has been asked to or to any of its 
partners. 

Correctness. For a protocol to be correct, it should always be the case that, 
whenever two instances uj 11 ^ and U .^ 2 '' 1 are partnered and have accepted, both 
instances should hold the same non-null session key. 

Indistinguishability. Consider an execution of the group key exchange pro- 
tocol P by an adversary A, in which the latter is given access to the Reveal, 
Execute, Send, and Test oracles and asks a single Test query to a fresh in- 
stance, and outputs a guess bit b’ . Let Succ denote the event b’ correctly 
matches the value of the hidden bit b used by the Test oracle. The AKE-IND 
advantage of an adversary A in violating the indistinguishability of the protocol 
P and the advantage function of the protocol P, when passwords are drawn 
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from a dictionary T>, are respectively Advp k ^ lnd (^t) = 2 • Pr[Succ] — 1 and 
Adv^p ind (t, R) = ma,x _4 {Advp k p lnd (A ) } , where maximum is over all A with 
time-complexity at most t and using resources at most R (such as the number 
of queries to its oracles). The definition of time-complexity that we use hence- 
forth is the usual one, which includes the maximum of all execution times in the 
experiments defining the security plus the code size. 

We say that a password-based group key exchange protocol P is secure if 
the advantage of any polynomial-time adversary is only negligibly larger than 
0(q/\V\), where q is number of different protocol instances to which the adver- 
sary has asked Send queries. Given that the dictionary size can be quite small 
in practice, the hidden constant in the big-0 notation should be as small as 
possible (preferably 1) for a higher level of security. 

3 Building Blocks 

3.1 Universal Hash Function Families 

One of the tools used in our protocol is a family of universal hash functions. A 
family ZPH of universal hash function is a map KxGhR, where K is the key 
or seed space, G is the domain of the hash function, and R is the range. For 
each seed or key k € K, we can define a particular instance UHt : G n R of 
the family by fixing the key being used in the computation of the function. For 
simplicity, we sometimes omit the seed k from the notation when referring to a 
particular instance of the family. Let UH^ be a universal hash function chosen 
at random from a family U9i. One of the properties of universal hash function 
families in which we are interested is the one that says that, if an element g is 
chosen uniformly at random from G, then the output distribution of UHfc(g) is 
statistically close to uniform in R [26]. 

3.2 Signatures 

The signature scheme used in our protocol is the standard one introduced by 
Goldwasser, Micali, and Rivest [25]. A standard signature scheme SIQ = (SKG, 
Sign,Ver) is composed of three algorithms. The key generation algorithm SKG 
takes as input l fc , where k is a security parameter, and returns a pair (sk, vk) 
containing the secret signing key and the public verification key. The signing 
algorithm Sign takes as input the secret key sk and a message m and returns a 
signature a for that message. The verification algorithm Ver on input (vk. m, a) 
returns 1 if it is a valid signature for the message m with respect to the verifi- 
cation key vk. 

The security notion for signature schemes needed in our proofs is strong ex- 
istential unforgeability under chosen-message attacks [25]. More precisely, let 
(sk, vk) be a pair of secret and public keys for a signature scheme SIQ, let 
Sign(-) be a signing oracle which returns a = Sign(sfc, m) on input m, and let T 
be an adversary. Then, consider the experiment in which the adversary T, who is 
given access to the public key vk and to the signing oracle Sign(-), outputs a pair 



A Scalable Password-Based Group Key Exchange Protocol 337 


( m,a ). Let {(m t , cr,;)} denote the set of queries made to the signing oracle with 
the respective responses and let Succ denote the event in which Ver (vk, m' . a') = 
1 and that The SIG -SUF -CM A- advantage of an adversary 

T in violating the chosen message security of the signature scheme SIQ is de- 
fined as Adv^™ f " cma (£:) = Pr [Succ]. A signature scheme SIQ is said to be 
SIG-SUF -CMA -secure if this advantage is a negligible function in k for all poly- 
nomial time adversaries (PTAs) T asking a polynomial number of queries to 
their signing oracle. 

3.3 Labeled Encryption 

The notion of labeled encryption, first formalized in the ISO 18033-2 stan- 
dard [32], is a variation of the usual encryption notion that takes into account the 
presence of labels in the encryption and decryption algorithms. More precisely, 
in a labeled encryption scheme, both the encryption and decryption algorithms 
have an additional input parameter, referred to as a label, and the decryption 
algorithm should only correctly decrypt a ciphertext if its input label matches 
the label used to create that ciphertext. 

Formally, a labeled encryption scheme LfPSOT, = (LKG, Enc, Dec) consists of 
three algorithms. Via ( pk , sk) <— LKG(l fc ), where k € N is a security parameter, 
the randomized key-generation algorithm produces the public and secret keys 
of the scheme. Via c Enc (pk, l,m\ r ), the randomized encryption algorithm 
produces a ciphertext c for a label l and message m using r as the randomness. 
Via m <— Dec(sfc, l, c), the decryption algorithm decrypts the ciphertext c using 
l as the label to get back a message m. 

The security notion for labeled encryption is similar to that of standard en- 
cryption schemes. The main difference is that, whenever the adversary wishes 
to ask a query to his Left-or-Right encryption oracle, in addition to providing 
a pair of messages (mo, mi), he also has to provide a target label l in order 
to obtain the challenge ciphertext c. Moreover, when chosen-ciphertext security 
(LPKE-IND-CCA) is concerned, the adversary is also allowed to query his de- 
cryption oracle on any pair (l, c ) as long as the ciphertext c does not match the 
output of a query to his Left-or-Right encryption oracle whose input includes the 
label l. As shown by Bellare et al. in the case of standard encryption schemes [3], 
one can easily show that the Left-or-Right security notion for labeled encryption 
follows from the more standard Find-Then-Guess security notion (in which the 
adversary is only allowed a single query to his challenging encryption oracle). 

3.4 Smooth Projective Hash Functions 

The notion of projective hash function families was first introduced by Cramer 
and Shoup [20] as a means to design chosen-ciphertext secure encryption schemes. 
Later, Gennaro and Lindell [24] showed how to use such families to build secure 
password-based authenticated key exchange protocols. One of the properties that 
makes these functions particularly interesting is that, for certain points of their 
domain, their values can be computed by using either a secret hashing key or a 
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public projective key. While the computation using secret hashing key works for 
all the points in the domain of the hash function, the computation using a public 
projective key only works for a specified subset of the domain. A projective hash 
function family is said to be smooth if the value of the function on inputs that 
are outside the particular subset of the domain are independent of the projective 
key. In [24] , the notion of smooth hash functions was presented in the context of 
families of hard (partitioned) subset membership problems. Here we follow the 
same approach. 

Hard partitioned subset membership problems. Let k £ N be a security 
parameter. In a family of hard (partitioned) subset membership problem, we first 
specify two sets X(/c) and L(/c) in {0, l}P ol y( fe ) such that L(fe) C X(fc) as well as 
two distributions D(L(k)) and D(X(fc)\L(/c)) over L(fc) and X(/c)\L(fc)) respec- 
tively. Next, we specify a witness set W(fc) C {0, l} poly ( fe ) and a NP-relation 
R (k) C X(fc) x W (k) such that x £ L (k) if and only if there exists a witness 
w £ W(k) such that (x, w ) € R(fc). Then, we say that a family of subset mem- 
bership problems is hard if (X(fc),L(fc), D(L(fc)), D(X(k) \ L(k)), W(k), R(k)) 
instances can be efficiently generated, that a member element x £ L (k) can be 
efficiently sampled according to D(L(k)) along with a witness w £ W(fc) to 
the fact that ( x,w ) £ R (k), that non-member elements x £ X(/c) \ L(fc) can 
be efficiently sampled according to D(X(fc) \ L(fc)), and that the distributions 
of member and non-member elements cannot be efficiently distinguished. The 
definition of hard partitioned subset membership problem is an extension of the 
one given above in which the set X(/c) is partitioned in disjoint subsets X(A;, i) 
for some index i and for which for all i it remains hard to distinguish an ele- 
ment x £ L (k,i) chosen according to a distribution D(L(k,i)) from an element 
x £ X(/c, i) \ L (k, i) chosen according to a distribution D(X.(k, i) \ L (k, i)). 
Hard partitioned subset membership problems from labeled encryp- 
tion. The families of hard partitioned subset membership problems in which 
we are interested are those based on LPKE-IND-CCA-secure labeled encryption 
schemes. More precisely, let L ( P‘KjE = (LKG, Enc, Dec) be a LPKE-IND-CCA- 
secure labeled encryption scheme and let pk be a public key outputted by the 
LKG algorithm for a given security parameter k. Let Enc(pfc) denote an efficiently 
recognizable superset of the space of all ciphertexts that may be outputted by 
the encryption algorithm Enc when the public key is pk and let L and M de- 
note efficiently recognizable supersets of the label and message spaces. Using 
these sets, we can define a family of hard partitioned subset membership prob- 
lems as follows. First, we define the sets X and L for the family of hard subset 
membership problems as X(pfc) = Enc(pfc) x L x M and L (pk) = {( c,l,m ) | 
3 r s.t. c = Enc (pk, l, m; r)}. Next, we define the partitioning of the sets X and 
L with respect to the message and label used in the encryption as X(pfc, l, m) = 
Enc (pk) x l x m and L (pk, l, m) = {(c, l, m) | 3 r s.t. c = Enc (pk, l, m; r)}. The 
distribution D(L(pk, l, m)) can then be defined by choosing a random r 6 R 
and outputting the triple (Enc(pfc, l. m; r), l, m ) with r as a witness. Likewise, 
the distribution D(X(pfc, l, m)\L(pk , l, mj) can be defined by choosing a random 
r £ R and outputting the triple (Enc(pfc, l, m'\ r), l, m), where rn' is a dummy 
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message different from m but of the same length. Finally, we define the witness 
set W (pk) to be r and the NP-relation R (pk) in a natural way. It is easy to 
see that the hardness of distinguishing non-members from members follows from 
the LPKE-IND-CCA security of the labeled encryption scheme. 

Smooth projective hash functions. Let 9{L‘P‘K^,(pk) = (X(pk),L(pk), 
D(X(pk, l, m) \ L {pk, l, m)),D(L(pk, l, m)),W(pk),R(pk)) be a family of hard 
(partitioned) subset membership problems based on a LPKE-IND-CCA-secure 
labeled encryption scheme LfP'KtE with security parameter k. A family of smooth 
projective hash functions 9{AS9{(pk) = (HashKG, ProjKG, Hash, ProjHash) asso- 
ciated with tHnPkKUE consists of four algorithms. Via hk <— HashKG(pfc), the 
randomized key-generation algorithm produces hash keys hk £ HK (pk), where 
k £ N is a security parameter and pk is the public key of a labeled encryption 
scheme XlPlVE- Via phk <— ProjKG (ft/;, l, c), the randomized key projection al- 
gorithm produces projected hash keys phk £ PHK(pfc) for a hash key hk with 
respect to label l and ciphertext c. Via g <— Hash (hk,c,l,m), the hashing al- 
gorithm computes the hash value g £ G (pk) of (c, l, m) using the hash key hk. 
Via g <— ProjHash(pftfc, c, l, m; r), the projected hashing algorithm computes the 
hash value g £ G (pk) of (c, l, m) using the projected hash key phk and a wit- 
ness r to the fact that c is a valid encryption of message m with respect to the 
public-key pk and label l. 

Properties. The properties of smooth projective hash functions in which we 
are interested are correctness, smoothness, and pseudorandomness. 
Correctness. Let LfP'KtE be a labeled encryption scheme and let pk be a public 
key outputted by the LKG algorithm for a given security parameter k. Let c = 
Enc (pk, l, m; r) be the ciphertext for a message m with respect to public key pk 
and label l computed using r as the randomness. Then, for any hash key hk £ 
HK(pfc) and projected hash key phk <— ProjKG (ft/;, l, c), the values Hash (ft/;, c, 
l, m) and ProjHash(pftfc, c, l, m, r ) are the same. 

Smoothness. Let hk £ HK(pfc) be a hash key and let phk £ PHK(pfc) be a 
projected hash key for hk with respect to l and c. Then, for every triple (c, l, m) 
for which c is not a valid encryption of message m with respect to the public- 
key pk and label l (i.e., (c, /, m) e X(pfc, l, m) \ L(pfc, l, m)), the hash value g 
= Hash(ftfc, c, l, m) is statistically close to uniform in G and independent of the 
values (phk, c, l, m). 

Pseudorandomness. Let L‘P r K!E be a LPKE-IND-CCA-secure labeled encryp- 
tion scheme, let pk be a public key outputted by the LKG algorithm for a given 
security parameter k, and let (l,m) £ L x M be a message-label pair. Then, 
for uniformly chosen hash key hk £ HK (pk) and randomness r £ R (pk), the 
distributions {c = Enc (pk, l, m; r), l, m, phk <— ProjKG(ftfc, l,c),g <— Hash(ftfc, c, 
l, m)} and {c = Enc (pk, l, m; r), l, m,phk 4- ProjKG(ftfc, l, c),g «— G} are com- 
putationally indistinguishable. 
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Examples. To provide the reader with an idea of how efficient smooth projective 
hash functions are, we recall here the example given in [24] based on the Cramer- 
Shoup encryption scheme [19]. 

The labeled version of the Cramer-Shoup scheme works as follows. Let G be 
a cyclic group of prime order q where q is large. The key generation algorithm 
chooses two additional random generators gi, g-2 in G, a collision-resistant hash 
function H, and random values z, z\, z?, z i, fy in Z q with z ^ 0. The secret key 
is set to (z,zi,Z2,zi,Z2) and the public key is defined to be (h,h,h,gi,g2,H), 
where h = gf, h = g^g^ 2 , and h = g Zl g 2 2 ■ To encrypt a message m e G with 
respect to label l, the sender chooses r € Z q , and computes u\ = g[ , «2 = g'2 , 
e = h r -m, 0 = H(l,ui,U2,e) and v = (hh e ) r . The ciphertext is c = (u\,U2,e,v). 
To decrypt a ciphertext c = ( u\,U2,e,v ) with respect to label l, the receiver 
computes 9 = H(l, % , 112 . e) and tests if v equals u\ 1+9zi uk 1 2+(>Z2 . If equality does 
not hold, it outputs T; otherwise, it outputs m = eu 2 z . 

The smooth projective hashing for the labeled Cramer-Shoup encryption 
scheme is then defined as follows. The hash key generation algorithm Hash KG 
simply sets the key hk to be the tuple ( 01 , 02 , 03 , 04 ) where each a* is a ran- 
dom value in Z q . The key projection function ProjKG, on input (hk, l, c ), first 
computes 6 = H(l,ui,U 2 ,e) and outputs phk = g < ^g^ 2 h a3 (Jih e ) ai . The hash 
function Hash on input ( hk,c,l,m ) outputs u “ 1 u 2 (ejrn) a 3 v a 4 . The projective 
hash function ProjHash on input (phk, c, l, m, r) simply outputs phk r . 

4 A Scalable Password-Based Group Key Exchange 
Protocol 

In this section, we finally present our password-based group key exchange proto- 
col. Our protocol is an extension of the Gennaro-Lindell password-based key 
exchange protocol [24] to the group setting and uses ideas similar to those 
used in the Burmester-Desmedt group key exchange protocol [18]. The Gennaro- 
Lindell protocol itself is an abstraction of the password-based key exchange pro- 
tocol of Katz, Ostrovsky, and Yung [28,29]. Like the Gennaro-Lindell protocol, 
our protocol is built in a modular way from four cryptographic primitives: a 
LPKE-IND-CCA-secure labeled encryption scheme, a signature scheme, a fam- 
ily of smooth projective hash functions, and a family of universal hash functions. 
Thus, our protocol enjoys efficient instantiations based on the decisional Difhe- 
Hellman, quadratic residuosity, and IV-residuosity assumptions (see [24]). Like 
the Burmester-Desmedt group key exchange protocol, our protocol only requires 
a constant number of rounds and low per-user computation. 

As done in the Gennaro-Lindell protocol, we also assume the existence of 
a mechanism to allow parties involved in the protocol to differentiate between 
concurrent executions as well as identify the other parties with which they are 
interacting. As in their case, this requirement is only needed for the correct 
operation of the protocol. No security requirement is imposed on this mechanism. 
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4.1 Protocol Description 

Overview. As in the Burmester-Desmedt protocol, our protocol assumes a ring 
structure for the users so that we can refer to the predecessor and successor 
of a user. Moreover, we associate each user with an index i between 1 and n, 
where n is the size of the group. After deciding on the order of the users, our 
protocol works as follows. First, each user in the group executes two correlated 
instances of the Gennaro-Lindell protocol, one with his predecessor and one with 
his successor so each user can authenticate his neighbors (this accounts for the 
first 3 rounds of the protocol). However, instead of generating a single session 
key in each of these instances, we modify the original Gennaro-Lindell protocol 
so that two independent session keys are generated in each session (this requires 
an extra hash key and an extra projection key per user). We then use the first 
one of these as a test key to authenticate the neighbor with whom that key is 
shared and we use the other one to help in the computation of the group session 
key, which is defined as the product of these latter keys. To do so, we add one 
more round of communication like in the Burmester-Desmedt protocol, so that 
each user computes and broadcasts the ratio of the session keys that he shares 
with his predecessor and successor. After this round, each user is capable of 
computing the group session key. However, to ensure that all users agree on the 
same key, a final round of signatures is added to the protocol to make sure that 
all users compute the group session key based on the same transcript. The key 
used to verify the signature of a user is the same one transmitted by that user 
in the first round of the Gennaro-Lindell protocol. 

For a pictorial description of our protocol, please refer to Fig. 1. The formal 
description follows. 

Description. Let TffWjE = (LKG, Enc, Dec) be a labeled encryption scheme, let 
S1Q = (SKG, Sign, Ver) be a signature scheme, and let 9{kAS!K(pk) = (HashKG, 
ProjKG, Hash, ProjHash) be a family smooth projective hash functions based on 
L‘P‘K!E. Let UH : G i— > {0, l} 2 * and UH' : G > {0,1} ( be two universal hash 
functions chosen uniformly at random from the families t LLH and Wtt' and let 
UHi(</) and UH-2(<?) refer to the first and second halves of UH(</). Let U \,. . . , U n 
be the users wishing to establish a common secret key and let pw be their joint 
password chosen uniformly at random from a dictionary Diet of size N. We 
assume pw either lies in the message space M of L^PQdE or can be easily mapped 
to it. Our protocol has a total of five rounds of communication and works as 
follows. 

Initialization. A trusted server runs the key generation algorithm LKG on 
input l fc , where k £ N is a security parameter, to obtain a pair (pk, sk ) of secret 
and public keys and publishes the public key pk along with randomly selected 
universal hash function UH and UH' from the families Uktt and WH' . 

Round 1. In this first round, each player tfi for i = 1, . . . , n starts by setting 
the partner identifier pidj to {U \, . . . , U n }. Then, each player [7* generates a pair 
(ski, vki) of secret and public keys for a signature scheme and a label i, = vk,, || 
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U\ || ... || U n . Next, each player encrypts the joint group password pw using the 
encryption algorithm Enc with respect to the public key pk and label using rf 
as the randomness. Let cf denote the resulting ciphertext (i.e., cf = Enc (pk, l t . 
pw; rf)). At the end of this round, each player U t broadcasts the pair (/,, cf). 

Round 2. In this second round, each player Ui for i = 1, . . . ,n encrypts once 
more the joint group password pw using the encryption algorithm Enc with 
respect to the public key pk and label using rf as the randomness. Let cf 
denote the resulting ciphertext (i.e., cf = Enc (pk, k, pw; rf)). Next, each player 
Ui chooses a hash key hk\ uniformly at random from HK (pk) for the smooth 
projective hash function and then generates a projection key p/ifcf for it with 
respect to the pair (cf_ l5 k-i)- That is, phk\ ProjKG(/ifcf, k-i, cf_i). Here and 
in other parts of the protocol, the indices are taken modulo n. At the end of this 
round, each player Ui broadcasts the pair ( c\,phk \ ). 

Round 3. In this round, player Ui first chooses two new hash keys hki and 
hki uniformly at random from HK(pfc) for the smooth projective hash function. 
Next, player Ui generates two projection keys phk i and phk f for the hash keys hki 
and hkf, both with respect to the pair (cf +1 , k+i)- That is, phki ProjKG (hki, 
li+ 1 , cf +1 ) and phkf <— ProjKG(Mf , l l+ i , cf +1 ). Then, player Ui computes a test 
master key Xf = Kf +l • Kf for its successor, where iff = Hash(Mf , cf_ 1; 4-i, 
pw) and iff = Hash(/ifcf, cf +1 , ij + i, pw). Note that player Ui can compute Kf 
using hkf and Kf +1 using phk\ +1 and the witness rf to the fact that cf is a 
valid encryption of pw with respect to pk and . Finally, player Ui computes a 
test key testf = UHi(Af ), sets Tf = Ui || Ui +1 1| cf || cf +1 1| phk t || phkf || phk\ +l || 
testf, and computes a signature erf on Tf using ski. At the end of this round, 
player Ui broadcasts the tuple ( phk t ,phkf , testf, of). 

Round 4. In this round, each player Ui first verifies if the signature of_ l on 
the transcript Tf_ x is correct using vki- 1 . If this check fails, then player U t halts 
and sets acc, = false. Otherwise, player U % computes the values Kf and Kf _ , 
using the hash key hk\ and the projection key phkf_ x along with the witness rf 
to the fact that cf is a valid encryption of pw with respect to pk and That is, 
Kf = Hash(/ifcf , cf_ l5 li- 1 , P w ) and Kf_ x = ProjHash(p/ifcf_ l5 cf, k, pw, rf). Next, 
player U t computes the test master key Xf = iff • Kf_ 1 for its predecessor and 
verifies if test^_ 1 = UH | (Xf). Once again, if this test fails, then player Ui halts 
and sets acq = false. If this test succeeds, then player U % computes a test key 
testf = UH 2 (Xf ) for its predecessor and an auxiliary key X- L = K h / Kj_ 1 , where 
K, = Hash(/ifcj, cf +1 , k+i , P w ). More precisely, player Ui computes the value if* 
using the hash key hki and the value ifj_i using the projection key phki_ x along 
with the witness rf to the fact that cf is a valid encryption of pw with respect 
to pk and Finally, each player U t broadcasts the pair (Xi, test\). 

Round 5. First, each player Ui checks whether test\ +1 = UhLfXf ) and whether 
Xi = 1. If any of these tests fails, then player U t halts and sets acc, = false. 
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Otherwise, each player Ui sets T } = vkj || Uj || cj || phkj || phk || phk * || Xj || Xj 
for j = 1, . . . , n and T = T-| || ... \\ T n and then signs it using ski to obtain cq . 
Finally, each player Ui broadcasts cr,. 

Finalization. Each player Ui checks for j ^ i whether <jj is a valid signature 
on T with respect to vkj. If any of these checks fails, then player Ui halts and 
sets acc, = false. Otherwise, player Ui sets acc, = true and computes the master 
key MSK = n"=i Kj = K 7* ■ X^ 1 ■ X™~ 2 2 • . . . • X? +n _ 3 ■ X i+n - i, and the session 
key SK = UH '{MSK). Each player U- t also sets the session identifier sid, : to T. 

Observation. Let Kj = Hash(Mq, k+i, P w ), Kf = Hash(M“, fc+i, 
pw), and Kf = Hash(/ifc^, cf_ 1 , k-u P w ) denote temporary keys. In a normal 
execution of the protocol, the temporary keys Ki and Kf are known to both 
player Ui (who knows hki and hk f) and his successor [/*+ 1 (who knows phk t , 
phk f, and the witness r/i.j to the fact that c[ +1 is a valid encryption of pw with 
respect to pk and h+i). Likewise, the temporary key Kf is known to both player 
Ui (who knows hk\) and his predecessor Ui - 1 (who knows phk f and the witness 
r.f_ 1 to the fact that cf_ 1 is a valid encryption of pw with respect to pk and k-i). 

4.2 Correctness and Security 

Correctness. In an honest execution of the protocol, it is easy to verify that 
all participants in the protocol will terminate by accepting and computing the 
same values for the partner identifier, session identifiers, and the session key. The 
session key in this case is equal to riy=i Hasfy/ifc^d^fy/j+i, pw) = n"=i Kj- 
Security. The intuition behind the security of our protocol is quite simple. Due 
to the security properties of the underlying Gennaro-Lindell protocol, each user 
is able to authenticate its neighbors and safely share session keys with them. 
Due to the properties of the signature scheme, all users in the group are able to 
ensure that they had received the same messages and that they will generate the 
same group session key. As the following theorem shows, the protocol 

described above and in Fig. 1 is a secure password-based authenticated group 
key exchange protocol as long as the primitives on which the protocol is based 
meet the appropriate security notion described in the theorem. 

Theorem 1. Let LtPQdE be a labeled encryption secure against chosen- ciphertext 
attacks, let be a family of smooth projective hash functions, let ‘UJf and 

Zlttf be families of universal hash functions, and let SIQ be a signature scheme 
that is unforgeable against chosen-message attacks. Let denote the pro- 

tocol built from these primitives as described above and let A be an adversary 
against QtPAXfE. Then, the advantage function Adw^ff^ ^k) is only negligibly 
larger than 0(q/N), where q denotes the maximum number of different protocol 
instances to which A has asked Send queries and N is the dictionary size. 

The proof can be found in the full version of this paper [2]. In it, we actually show 
that the security of our protocol is only negligibly larger than (q sen d-i +fcnd- 2 )/ N, 
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User Ui 


(ski, 
li = 1 


= {Ul,...,U n } 
vki)S- SKG(l fc ) 


h, 4 


hk\ 4- HK(pjfc) 

phk\ ProjKG(/tfcf, li-i, c-_i) 
4 — Enc(pfc, h, pw; rl) 


ftfei, tt'iHK(pi) 

p/ifc 4 ^ ProjKG(hki, k+i, c 4+ i) 

phfc* £ ProjKG(Wc“, i 4+ i, cj +1 ) 

Kjj.i = ProjHash(phfct +1 , c*, U, pw, rf) 
Kf = Hash(hifc“, 4 +1 , Ji+i, pw) 

Xf = X 4+1 • Kf 
test “ = UH^Xf) 

<t? = Sig n(sfc 4 , Tf) 


if S/er(vki—i, T?_p<jf_ 1 ) = 0 then acc 4 = false 

3$ = Hash(hfc^, cj_n ii i ) pw) 

Kf_i = ProjHash(phfc“_ 1 , c 4 , / 4 , pw, r 4 ) 

x 4 l = x 4 L • nr”.! 

if testj_! # UHi(X, L ) then acc 4 = false 
i<^ = UH 2 (X[) 

X 4 = Hash(hfc 4 , c 4+1 , ij+i, pw) 

Xi_i — ProjHash(phfc i _ 1 , c 4 , i 4 , pw, r 4 ) 

X 4 = Ki/Ki—i 


if test 4+1 UH 2 (X“) then acc,, = false 
if n?=i ^ 7^ 1 then acc 4 = false 
T = Ti || . . . (j T„ 

<H =Sign (ski,T) 


for j = 1, . . . ,i — l,i + 1, . . . ,n 
if Ver(vk } ,T,<jj) = 0 then acc 4 = false 
MSK = K" ■ U]=i K+7 
SK = UH' (MSK) 


Fig. 1. An honest execution of the password-authenticated group key exchange protocol 
by player Ui in a group {Ui , . . . , £/„}, where if = Ui || Ui+i || c* || c[ +1 || phk t || phk* || 
phk\ +1 || test* and Ti = vki || Ui || c, || phk t || phk\ || phk* || Xi || X* for i = 1 , . . . , n 

where q se nd-i and q S end -2 represent the maximum number of Send queries that the 
adversary can ask with respect to the first and second round of communication 
and N is dictionary size. Even though we believe this security level is good 
enough for groups of small to medium sizes, it may not be sufficient in cases 
where the number of users in a group is large and the dictionary size is small. 
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In the latter case, it would be desirable to have a scheme whose security is only 
negligibly larger than the number of sessions (and not protocol instances) over 
the size of the dictionary. Unfortunately, the latter cannot be achieved by our 
protocol as it is possible for an active adversary to test in the same session a 
number of passwords that is linear in the total number of users, for instance by 
playing the role of every other user. 

4.3 Efficiency 

Our protocol is quite efficient, only requiring a small amount of computation by 
each user. In what concerns encryption and hash computations, each user only 
has to perform 2 encryptions, 3 projection key generations, 3 hash computations, 
3 projected hash computations, and 5 universal hash computations. The most 
expensive part of our protocol, which is linear in the group size, is the number of 
signature verifications and the master session key computation. While the latter 
computation can be improved by using algorithms for multi-exponentiations, the 
former can be improved by using two-time signature schemes. 

It is worth mentioning that, as done by Katz et al. [27] in the case of the 
KOY protocol [28], one could also improve the efficiency of our protocol by us- 
ing two different encryption schemes when computing the ciphertexts cf and 
c\ broadcasted in the first and second rounds. While the computation of the 
ciphertexts cf would require a CCA-secure labeled encryption scheme, the com- 
putation of the ciphertexts c\ would only require a CPA-secure encryption 
scheme. 

4.4 Future Work 

One issue not addressed in the current paper is whether our protocol remains 
secure in the presence of Corrupt queries, through which the adversary can learn 
the values of the long-term secret keys held by a user. This is indeed a significant 
limitation of our security model which we expect to address in the full version 
of this paper. In fact, we do hope to be able to prove that our protocol achieves 
forward security according to the definition given in [30]. 
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Abstract. We consider oblivious transfer protocols and their applica- 
tions that use underneath semantically secure homomorphic encryption 
scheme (e.g. Paillier’s). We show that some oblivious transfer protocols 
and their derivatives such as private matching, oblivious polynomial eval- 
uation and private shared scalar product could be subject to an attack. 

The same attack can be applied to some non-interactive zero-knowledge 
arguments which use homomorphic encryption schemes underneath. The 
roots of our attack lie in the additional property that some semanti- 
cally secure encryption schemes possess, namely, the decryption also re- 
veals the random coin used for the encryption, and that the (sender’s 
or prover’s) inputs may belong to a space, that is very small compared 
to the plaintext space. In this case it appears that even a semi-honest 
chooser (verifier) can derive from the random coin bounds for all or some 
of the sender’s (prover’s) private inputs with non-negligible probability. 

We propose a fix which precludes the attacks. 

Keywords: Oblivious Transfer, Homomorphic Semantically Secure 
Cryptosystems, Paillier’s Public-Key Cryptosystem, Non-Interactive 
Zero-Knowledge Arguments. 

1 Introduction 

Oblivious Transfer (OT) [4,30] protocols allow one party, called the sender to 
send part of its inputs to a second party, called chooser , in such a manner that 
the chooser does not receive more information than it is entitled and the sender 
does not learn which part of the inputs the chooser received. Oblivious transfer 
is used as a key component in many applications of cryptography. 

Naor and Pinkas [26] proposed a way to use OT for polynomial evaluation. 
Another application known as private matching solves the problem of two par- 
ties who possess lists of items and want to compute their set-intersection or to 
approximate the size of the intersection. Freedman et al. [16] have shown that 
a simple reduction from oblivious transfer to private matching exists. The au- 
thors of [16] used oblivious polynomial evaluation in their solution for the private 
matching set intersection problem. 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 348-363, 2006. 
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In this paper we will work in the semi-honest security model, in which the 
parties follow the protocol, but may be curious. We do not consider malicious 
parties who may deviate from the protocol. Often, there is no guarantee for the 
privacy of the sender if the chooser is malicious, but we do not consider this 


Our Contribution: We first describe an attack against an oblivious transfer 
protocol; subsequently we apply the attack to certain protocols derived from 
oblivious transfer, such as oblivious polynomial evaluation, private matching 
(set cardinality and subset inclusion) and private (shared) scalar product. For 
our attack we exploit the additional property that some semantically secure en- 
cryption schemes possess, namely that the decryption reveals the random coin 
used for encryption. We consider the case when the (sender’s) inputs belong to 
a very small space compared to the plaintext space of the Paillier cryptosystem. 
We show that from the random coin the chooser can derive certain informa- 
tion (bounds) for all (or some) of the sender’s private inputs with non-negligible 
probability. We extend the attack to certain non-interactive zero-knowledge pro- 
tocols. We introduce the so-called irrational behavior of the chooser, meaning 
that a semi- honest but curious chooser is “bluffing” in order to get the sender’s 
inputs, i.e. the chooser is putting his privacy at risk. To the best of our knowl- 
edge some of the protocols from the following papers [6,12,17,19,31] could be 
subject to this attack when applied in this scenario. Finally we propose a fix 
which precludes the attacks. 

Organization of the paper: In the next section we introduce the notions of ho- 
momorphic semantically secure cryptosystems, oblivious transfer, and different 
applications of the oblivious transfer. Section 3 provides description of several 
known protocols and in Sect. 4 the attack against them is proposed. We conclude 
in Sect. 5. 

2 Preliminary 

Homomorphic Semantically Secure Cryptosystems 

Let II = (Gn, E, D) be a public-key encryption cryptosystem, where Gn is the 
key generation algorithm, E is the encryption algorithm and D is the decryption 
algorithm. Let k be the security parameter, then the key generation algorithm 
Gn on input l k generates a valid key pair ( SK,K ) of private and public keys 
that corresponds to the security parameter k. The encryption algorithm E takes 
as input a plaintext m, a random coin r and the public key K and outputs the 
corresponding ciphertext E K (m,r). The decryption algorithm takes as input a 
ciphertext c and the private key SK and outputs the corresponding plaintext 
Dsk(c). More formal: Gn ■ l fc ( SK,K)\ E K : (m,r) E K (m,r), Dsk '■ c 

Dsk(c ) and Dsk(c) = to if c = EK(m,r). It is required that Dsk(Ek (to, r)) = 
to for any random coin r, key pair (SK, K) and plaintext to. It is said that 11 is 
homomorphic, if Ex(mi,ri) ■ EK(m 2 ,r 2 ) = (toi + m 2 , rq • 7 * 2 ). It then follows 
that Enim, r) s = Ek(s ■ m,r s ). 
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For an algorithm A, define Adv fi'"^ {A) to be the advantage that A has over 
random guessing when trying to distinguish random encryption of two elements, 
chosen by herself. It is said that II is semantically secure under an chosen plain- 
text attack (IND-CPA secure) if for all PPT (probabilistic polynomial time) 
algorithms A, the advantage Adv^f™ (A) is negligible in k. 

Several homomorphic probabilistic encryption schemes are known: ElGamal 
[14], Goldwasser and Micali [18], Benaloh [2], Okamoto and Uchiyama [28], Nac- 
cache and Stern [25], Paillier [29] and its modifications [5,13]. 

For the sake of simplicity, we will describe the protocols with the Paillier 
cryptosystem (some of the protocols which we consider are indeed designed for 
the Paillier cryptosystem), although most of the homomorphic semantically se- 
cure cryptosystems can be used instead of Paillier’s. We present the Paillier 
cryptosystem for completeness, but omit the number-theoretic justifications. 
Key Generation: Let N be an RSA modulus N = pq, where p, q are large primes. 
The public key K is N and the secret key SK is X(N) = lcm{{p — 1), (q - 1)), 
where X(N) is the Carmichael function. One can assume w.l.o.g. that N > 2 fe , 
where the security parameter k > 1024. 

Encryption: To encrypt a plaintext m £ Zjv, compute the ciphertext 
c = E K (m, r) = (1 + mN)r N t nod N 2 , with r Gr % * N ■ 

Decryption: To decrypt a ciphertext c € Z , compute the plaintext 

Lfc A(JV) mod N 2 ) u- 1 

m = D sk (c ) = mod N, where L(u) = — — . 

The Paillier cryptosystem possesses the following useful properties: 

Kic(mi,ri)£ ; x(rn 2 ,r 2 ) mod N 2 = E}((mi + m 2 mod N, rii '2 mod N) 
E K (m,r) s mod N 2 = E K (sm mod N,r s mod N) 

E K (m, r)(l + N) c mod N 2 = E K (m + c mod N, r ). 

In order to re-randomize a ciphertext c = Ex(m,r), simply multiply it by 
a random encryption of 0, i.e. compute cr] v mod N 2 = Er (to, rr'i mod N) for 

It is well known (see [5]) that for Paillier’s cryptosystem Dsk(c) = ( m, r ) if 
c = Ex(m, r), i.e. the result of the decryption of a ciphertext is the corresponding 
plaintext and the random coin used for the encryption (usually the random coin 
cannot be recovered efficiently). Indeed as Catalano et al. have shown there is 
an alternative decryption process based on the observation that the ciphertext 
c = E K {m,r) satisfies c = r jV mod N. The latter can disclose r by an RSA 
decryption (modulo N, with public exponent N). Now putting r in the original 
ciphertext equation provides the plaintext to. 

We stress here that the ability to efficiently disclose the random coin used 
for the encryption, forms an essential point for our attack. We pose as an open 
problem whether our attack can be extended to some of the other homomorphic 
semantically secure cryptosystems. 
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2.1 (")- Oblivious Transfer and Zero-Knowledge Arguments 

During an (") -Oblivious Transfer the sender maintains n items and the chooser 
receives one item chosen by him. The sender does not know which item was 
transferred. The security of an OT is usually defined in two parts. We will follow 
the definitions of [22,27]. Let k be the security parameter. 

Chooser-Privacy: Consider an algorithm A that executes the sender’s part of the 
OT protocol; define Adf/STdA) to be the probability that after observing an 
execution of the protocol, A can predict which choice was made by the chooser. 
An OT protocol is said to be (computationally) chooser-private if Adv^ o j_{A) 
is negligible for any PPT algorithm A. In all this protocols the chooser-privacy 
(which holds even against a malicious sender) will be based on the indistin- 
guishability implied by the underlying semantically secure encryption scheme. 
Sender-Privacy: Consider an algorithm A executing the chooser’s part of the 
OT protocol; define a simulator S that generates an output that is statistically 
indistinguishable from the view of A that interacts with the honest sender. More 
precisely, for an algorithm S define Adv ^ ~ k (A. S) to be the statistical difference 
of the distributions of the S output and the view of A. An OT protocol is called 
(statistically) sender-private if for every (not necessarily PPT) A there exists a 
(not necessarily PPT) S, such that Adv ^ - (A, S ) is negligible in k. The sender- 
privacy is called perfect if Adv ^ ^(A, S) = 0. In all this cases the sender-privacy 
is based on a comparison with the ideal model. 

Recently Damgard et al. [12] have proposed a method to build non-interactive 
zero-knowledge protocols from homomorphic encryption. Namely the authors 
described a method for compiling a class of 17-protocols (3-move public-coin 
protocols) into non-interactive zero-knowledge arguments. In a zero-knowledge 
proof system a prover convinces a verifier via an interactive protocol that some 
statement is true. The verifier should learn nothing beyond the fact that the 
assumption is valid. 17-protocols are three-move protocols where conversations 
are tuples of the form (a, e, z ) where e is a random challenge sent by the verifier, a 
is the prover’s input and z is the proof. There are several well-known techniques 
for making 17-protocols non-interactive [11,15]. 

2.2 Applications of OT 

As shown by Kilian [21] most cryptographic protocols can be based on oblivious 
transfer. In this section we will describe several protocols built on top of OT. 

An (")-OT protocol sometimes needs to be sender-verifiable (or committed) 
[7,10] in the following sense: the sender commits to every item and sends these 
commitments to the chooser; these commitments later can be used in various 
zero- knowledge proofs and arguments. 

The notion of conditional oblivious transfer (COT) was introduced by Di 
Crescenzo et al. [9]. It is a variant of OT in which the two participants have 
private inputs, say x and y respectively, and share a public predicate Q(-, •). The 
sender has a secret s, which is transferred to the chooser if and only if Q(x, y) = 1. 
If Q(x, y) = 0, no information about s is transferred to the chooser. The chooser’s 
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private input and the value of the predicate remain computationally hidden from 
the sender. 

The notion of strong conditional oblivious transfer (SCOT) has been first in- 
troduced by Di Crescenzo [ 8 ]; later Blake and Kolesnikov [3] have independently 
defined the same notion. SCOT strengthens the COT definition, in the SCOT 
setting - unlike the COT “all-or-nothing” approach - the sender possesses two 
secrets so and s\ and transfers s t if Q(x, y) = i (where i = 0 or 1 ). In addition to 
the COT requirement that the chooser private input has to be computationally 
hidden from the sender, the value of the predicate should also remain hidden for 
both participants. 

Consider the following problem: two parties possess lists (sets) of items and 
they want to compute their set-intersection. Related problems are to approx- 
imate the size of the intersection or to decide whether the intersection size is 
greater than a threshold. Such problems are called private matching (PM) in 
[16]. That is, if the chooser inputs X = {* 1 , . . . , Xk c } and the sender inputs Y = 
{ 3 / 1 , . . . , yk e } then the chooser learns XnY = {x u : 3v, x u = y v } <— PM (X, Y). 
The related variants are as follows: the chooser learns \X n Y\ <— PMc(X,Y) 
for the intersection size problem or for the threshold intersection size problem he 
gets 1 <— PM t (X, Y) if PMc(X, Y) > t and 0 otherwise. As shown by Freedman 
et al. [16] a simple reduction from oblivious transfer to private matching exists. 

In a simpler form of PM both lists contain just one item, thus the two parties 
want to compare their private inputs without leaking it. Private equality test 
(PET) allows the chooser to know whether his private input and the sender’s 
private input are equal [16,22]. 

Another kind of PM is the private subset inclusion. Namely, both participants 
have sets X and Y as inputs and the chooser gets 0 if X C Y or 1 otherwise. 
Laur et al. [24] have proposed a private subset inclusion protocol, based on an 
improvement of the intersection size protocol by Freedman et al. [16]. 

Naor and Pinkas [26] proposed a way to use OT for polynomial evaluation 
(OPE). Freedman et al. [16] used OPE in their solution for the PM set inter- 
section problem. Recently Freedman et al. [17] proposed another OPE protocol 
which is used as a building block for a keyword search protocol. 

A protocol between two parties is called a scalar product (SP) protocol when 

on private inputs of both parties x = (aq, x n ) and y = ( 3/1 ..... y n ) it outputs 

their scalar product <x, y>= x iVi- A protocol is called a shared scalar 

product (SSP) protocol [19] when both parties receive as output of the protocol 
uniformly distributed additive shares of the scalar product, i.e., the chooser gets 
s c e Z N and the sender gets s s e Z N such that s c + s s =<x, y> mod N. These 
protocols are called private if the inputs (i.e. x and y) are not disclosed. 

3 The Protocols 


This section describes the protocols to which our attacks can be applied. The 
reader who is familiar with these protocols can skip this section and continue 
with the attack described in Sect. 4. 
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Consider the standard OT setting, i.e. the chooser and the sender have their 
private inputs. The chooser encrypts his input and sends it to the sender. The 
sender applies a transformation to the encrypted chooser’s input and to his own 
input (which could be also encrypted). The value obtained in this way is returned 
to the chooser. 

3.1 (")-Oblivious Transfer 

We will start with a short description of Homomorphic Oblivious Transfer and 
the AIR protocol [1,22]. 

Private Inputs: 

— The sender has a vector p = (/zi, . . . , p n ), pi e Zt and T < N. 

- The chooser has made a choice cr e {1, . . . , n}. 

Private Output: The chooser gets p a . 

1. The chooser generates a (private, public) key-pair (SK, K) <— Gn{ l fc ). Then 
generates a random coin r Gr Z* n and computes 

c <— E k (<t, r). He sends K and c to the sender. 

2. For i = 1 a the sender performs the following: generates random coins 

r», Si Gr Z* n and computes q <— E K (pi, 1) (c E K (—i, l)) Si E K (0, q)mod N 2 . 
He sends ci, c„ to the chooser. 

3. The chooser obtains p„ <— Dsk{p<j)- 

Homomorphic ("(-Oblivious Transfer 

Aiello et al. [1] have proposed an OT protocol, which provides perfect sender- 
privacy and computational chooser-privacy (AIR protocol, in short). This proto- 
col has been slightly modified and generalized by Lipmaa [22] to a homomorphic 
oblivious transfer (HOT) protocol. In [23] the authors fix some problems with 
the scheme from [22] . 

Since the encryption scheme is semantically secure, the sender cannot derive 
a from the ciphertext c (step 1), which guarantees the chooser-privacy. Using 
the homomorphic property of the encryption scheme it is easy to verify that 
in step 2 the sender computes q <— E K {pi + (a — i)sjmod N, ri r Si mod IV). 
Then in step 3 the chooser can obtain /z* + (cr — i) qinod N. But since the s,; are 
random coins, the values pt are perfectly hidden, except p a . This guarantees the 
correctness of the scheme and the sender-privacy. The HOT protocol is further 
used in [22] to build committed OT and PET protocols. 

Stern’s (") -Oblivious Transfer 

Now we present the OT protocol proposed by Stern [31]; this protocol has later 
been rediscovered by Chang [6]. The original protocol uses a homomorphic se- 
mantically secure encryption scheme and a homomorphic commitment scheme. 
The Paillier encryption scheme, proposed one year after the publication of [31], 
is not used in the original scheme. 
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Private Inputs: 

— The sender has a vector ji = (/xi, . . . , /i„j, /q G Zt and T < N. 

— The chooser has made a choice cr e {1, . . . , n}. 

Private Output: The chooser gets n„. 

1. The chooser generates a (private, public) key-pair ( SK,K ) <— G 77 ( 1 ) . He 

chooses an n-tuple (x \ , . . . , x n ) such that x a = 1 and aq = 0 for i ^ a. 
Then generates n random coins rq Gr 7j* n and computes c* <— rq) 

for * = 1, . . . , n. He sends K and cj , c„ to the sender. Last he provides 

zero-knowledge proofs that all Xi except one are equal to 0 and the nonzero 
one is equal to 1. 

2. The sender generates a random coin r£jj h* N and 

computes c <— dllLi cf 4 ) E K (Q, rjmod N 2 . He sends c to the chooser. 

3. The chooser obtains <— Dsk(c). 

Using the homomorphic property of the encryption scheme it is easy to ver- 
ify that in step 2 the sender computes c <— P/r(]Cr=i /aq/qmod N, r n"_i r f * 
mod N). Then in step 3 the chooser can obtain ji = IMXijnod N. But 

since (aq, . . . , x n ) is such that x a = 1 and x, = 0 for i ^ a the decrypted value 
is /I = /J. a . 

Note that in both OT protocols [31] and [1,22] the sender uses an encryption 
of 0 (step 2) to re-randomize the ciphertext. 

3.2 Oblivious Polynomial Evaluation 

Recall that oblivious polynomial evaluation protocol is a building block for other 
more complex protocols, for example private matching. The protocol given by 
Freedman et al. [17] can be described as follows. 

Private Inputs: 

— The chooser input is a value x gZt- 

— The sender input is a polynomial P(x) = Y17=o a i x \ a i € 

— T is chosen such that max(|P(a;)|) < N. 

Private Output: The chooser gets P(x). 

1. The chooser generates a (private, public) key-pair ( SK , K) <— GnO k )- Then 
he generates random coins rj Gr %% an d computes Cj <— Er{x' j , r : j) for 
j = 1, . . . , n. The chooser sends K and ci, . . . , c n to the sender. 

2. The sender generates a random coin r Gr 1? n and computes 
c = E K (ao, r)(n"=i c“ J ) mod N 2 . He sends c to the chooser. 

3. The chooser decrypts the received ciphertexts, i.e. he computes z = Dsk{c). 

Observe that c = E K (X)"=o a j ^ m °d AT, r n"=i r“ 5 rood AT), thus z = S"=o 
mod N, i.e. z = P(x). Note that the sender re-randomizes the ciphertext (step 
2) in a slightly non standard way - by encrypting do with a random r instead 
of encrypting 0 afterwards. 
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3.3 Private Shared Scalar Product 

In [19] Goethals et al. proposed a private SSP protocol. As pointed out by the 
authors of [19] a private SP can be obtained immediately from the private SSP 
protocol by defining s s <— 0. We present here the private SSP protocol. 

Private Inputs: 

— The chooser input is a vector x = (xi, ... , x„), Xi £ Zt and T < [\/lV/nJ . 

— The sender input is a vector y = (j/i, y n ). y l £ Zt- 

Private Output: 

— The chooser gets a share s c £ Ziy. 

— The sender gets a share s s £ Zjy. 

— Such that s c + s s =<x, y> mod N. 

1. The chooser generates a (private, public) key-pair ( SK,K ) <— Gn(l k ). He 
generates a random coin r* £r Z* n and computes c* «— EK(xi,ri ) for i = 

1 , ... ,n. The chooser sends K and ci, . . . , c n to the sender. 

2. The sender performs the following: generates a random coin r £r Z* n , a 
random share s s £r Zn and computes c <— Ek(— s s , l)(nr=i c T)^k( 0, r) 
mod N 2 . He sends c to the chooser. 

3. The chooser decrypts the received ciphertexts and sets it as his share s c , i.e. 
he computes s c = Dsk{c). 

Note that c = E K (— s s + X^Li *»J/#nod N, r n"=i r^^aod N), thus s c = —s s + < 
x, y> mod N, i.e. the protocol is correct. Again the semantic security of the en- 
cryption scheme guarantees the chooser-privacy. The sender-privacy is preserved 
since the chooser only sees a random encryption of — <x, y >, where s s is 
random. Note again that the sender uses encryption of 0 (step 2) to re-randomize 
the ciphertext. 

The authors of [19] give an interesting application of an SP protocol: if Xi,yi £ 
{0,1}, i.e. x and y are the characteristic vectors of two sets X and Y, then 
<x, y>= \X n Y|. In other words such an SP protocol provides solution for the 
private matching intersection set size problem. 

3.4 Private Matching 

We first describe the private subset inclusion protocol given by Laur et al. [24]. 
Then we propose a modification to this protocol, which is more efficient. 

Laur’s Private Subset Inclusion 

The authors of [24] use the fact that X C Y if and only if |X = Xn Y|. Instead 
of using directly the sets, their characteristic functions (denoted with the same 
letters) are used in the protocol, where X[i] = 1 if i e X and X[i] =0 otherwise 
{Y[i\ is defined in a similar way). 
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Private Inputs: 

— The chooser input is a set X C {1, ... , n}. 

— The sender input is a set Y C {1, . . . , n}. 

Private Output: The chooser gets 0 if X C Y. 

1. The chooser generates a (private, public) key-pair (SK, K) <— GnO k )- Then 
he generates a random coin rj Gr and computes Cj «— Ej((X\j\, rj) for 
j = 1 , . . . , n. The chooser sends K and ci , . . . , c n to the sender. 

2. The sender generates random coins r,s Gr 7Y n and computes 

c = (rij:V[j]=o c jY ^if(0,r)mod N 2 . He sends c to the chooser. 

3. The chooser decrypts the received ciphertexts, i.e. he computes z = Drk{c ) 
and accepts that X C Y if z = 0. 

Note that c = Ek(s %\ j\ m °d N, ^rij:V[j]=o r j mo< i -N). Thus the 
chooser gets z = s Y^j-.Y[j]=o ^ [j ] mod N, which is zero only if all X[j\ = 0 when 
Y[j\ = 0. The last relation implies that X C Y. 

Private Subset Inclusion 

We also do not use directly the sets in our protocol, but their characteristic 
functions redefined as follows X[i] = s* if i G X (for a random nonzero s* Gr 
and T < |_iV/nJ) and X[i\ =0 otherwise. 

Private Inputs: 

- The chooser input is a set X C {1, ... , n}. 

- The sender input is a set Y C {1, . . . , n}. 

Private Output: The chooser gets 0 if X C Y. 

1. The chooser generates a (private, public) key-pair (SK, K) <— GnO k ). Then 
he generates a random coin rj Gr Z* n and computes c :1 <— E K (X(j\,rj) for 
j = 1, . . . n. The chooser sends K and Ci, . . . , c n to the sender. 

2. The sender generates a random coin r Gr Z* n and computes 

c = (rij:v[j]=o c j ) Ek( 0, r)n\od N 2 . He sends c to the chooser. 

3. The chooser decrypts the received ciphertexts, i.e. he computes z = Dsk(c) 
and accepts that X C Y if z = 0. 

Note that c = E K (Z)j ; yy]=o ^[j] m °d N, rY\^. Y ^ =0 r^mod N). Thus z = 
Ylj-.Y\i }= o x \j\i which is zero only if all X[j] = 0 when Y\j\ = 0. The last relation 
implies that X CY. Obviously this protocol is more efficient than the original 
protocol of [24] since the sender does not need to compute a random power of 
Y\j:Y^]=o c i- Note again that the standard way to re-randomize the ciphertext 
(step 2) is used in both protocols, i.e. the sender uses an encryption of 0. 

3.5 Zero-Knowledge Arguments 

Consider the following protocol for equality of double base discrete logarithms. 
We consider another T-protocol than the one in [12] which is for the equality of 
discrete logarithms, where the prover should prove that indeed hi = g]'Tnod p 
and /12 = ^f’mod p for some w. Let k be the security parameter. 
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Input: 

— The system setting is the tuple {p,p' ,gi,g2,hi,h,2) where p. p' are prime, p' 
is /c-bit long, p = 2 p' + 1, gi £ Z* has order p' and g-2- hi , h-2 £ < gi >. 

In addition g 2 = g\ for some secret y £ Z* and h\ = g'^g ^ 1 » /12 = g'\ g‘2 2 for 
some w, W\,W2 £ Z*. 

— The tuple {p,p',gi,g2, hi, /12) is a common input to the prover and the verifier. 

— The prover gets w,w\,W2 as private input. 

Output: The verifier checks whether log ffl (hi)mod y = log ff2 (/i2)mod y. 

1. The prover chooses random 3fc-bit integers r, ri,r2 and sends ai = g\g r ^ 
mod p and 0,2 = g\g^va.oA p to the verifier. 

2. The verifier chooses the challenge e at random in Z p / and sends it to the 
prover. 

3. The prover computes z = r + ew, zi — r\ + ewi, 22 = pi + eu>2 and sends 
them to the verifier who checks that gfg 2 1 = ai/ifmod p and gfg ^ 2 = 
mod p. 

4 The Proposed Attack 

4.1 Attack Against Oblivious Transfer 

We first specify the information that the chooser possesses after finishing the 
protocol. 

— Consider the Stern’s OT protocol described in Section 3.1. Denote by r = 

r niLi f'fTiiod N and recall that Dsk{c ) = where Jt = ^"=1 t l i x i 

mod N. Thus the chooser obtains jl and r. 

— Consider the OPE protocol described in Section 3.2. Denote by r = r n?=i r j 3 
mod N and recall that Dsk(c ) = (z,r), where 2 = P{x). Thus the chooser 
obtains 2 and r. 

— Consider the private SSP protocol described in Section 3.3. Recall that 
Dsk(c) = (m,r), where to = — s s + X^=i ®»J/* m °d N and r = ?’n"=i r r 
mod N. Thus the chooser obtains to and r. 

— Consider the modified Subset Inclusion protocol described in Section 3.4. 
Recall that Dsk(c) = (2, rj, where 2 = rF J -.-^g|c_ 0l .3f[7'1mod N and r = 
r ri r v[j]=o r 2 lno d N. Thus the chooser obtains 2 and r. 

Notice that in all these cases f has a common form, which we will further unify 
as f = r n"=i rjhmod N. 

Scenario 

Now we describe the scenario in which our attack can be mounted by the chooser. 
Recall that the sender’s inputs to the protocol are j/j 6 Z T . We consider the case 
when T N, i.e. is very small; how small will be specified later. In this case a 
semi-honest chooser with irrational behavior can try to get some information on 
the sender’s inputs with a non-negligible probability. For the sake of simplicity 
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we only consider the case of a uniform probability distribution for (yi, . . . , y n ), 
but our results hold for any probability distribution. 

Attack - Phase 1 

Let the chooser select n in step 1 to be small prime numbers, e.g. 2 < pi < 
P 2 < • • • < p n -C N. Thus the probability that gcd{ri,r) ^ l for some i is 
when r Gr 1? n is chosen (independently) by the sender in step 2. Hence the 
probability P* = Pr[r, = pi and r Gr Z* n : gcd(r, r») ^ 1] = 1/pi- 

Consider the random coin r obtained by the chooser after decrypting the 

sender’s reply. Denote by r = r n"=i r T thus r = r + £N, where £ = 0, 1, 

Recall that yi G TLr, r Gr Z* n and r, = p t . Denote by N = (IIILi Pi) T1 hence 
l < N. Denote by x = Yl r ' N 1 p' Ui ( assuming the yps are fixed) then Pr[r Gr z jv : 
r < x) = and since the probability that (j/i , . . . , y n ) is the concrete sender’s 
input is we obtain that 

p[t = 0] = Pr[ yi Gr Zt, rGR Z* n : rf[pf < N] (1) 

= Y Pr \{yu ■ ■ ■ ,y n ) = {Vi, ■■■,¥?)} Pr[r Gr Z* n : r \\pf < N] 
(W.-'.'.iP' <=1 

= _i v i _ i mu (pf-i) , i 

Notice that 2 x < N when ($q, . . . , y n ) ± (0, . . . , 0) and x = N when ($&, . . . , y n ) = 
(0, . . . ,0), thus we obtain Pr[r Gr Z* n ,x ^ N : x < r < 2x\ = It can be 
observed that P[£ = 0] > P[£ = i] for any i > 0, for example: 

P[t = 1] = Pr[Vi Gr Z t , r GrZ* n : N < rf[pf < 2 N] 

= j_ v 1 i_ ( 

■ T " 0) nr=^r “ - d )' 

Hence P[£ = 1] = P[t = 0] — More importantly P\t = 0] depends only on 
the primes selected by the chooser and the system parameters n and T. 

Attack - Phase 2 

Now we explain further how the attack works. The protocol is executed just 
once with the exception that the chooser does not generate the r, : at random 
but instead selects them as described above. At the end of the execution the 
chooser possesses r and with probability P[£ = 0] he guesses f. Note that rf 
is a factor of r co-prime with the other factors, except maybe with r. Let the 
attacker target some of the secrets yi for i G I {I C. [n] = {1, . . . , n}). We stress 
that the chooser should select different prime numbers Pi for i G I. Thus from f 
the chooser can find yi,i G I, by simple division. Hence yi <yi holds, moreover 
the difference between yi and y, is equal to the power to* of Pi, such that p r [ H 
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divides r but p" !i+1 doesn’t. Thus an irrational semi-honest chooser can derive 
from r upper bounds for all y, for i £ I with probability P[£ = 0]. 

Stern’s OT protocol and the modified Subset Inclusion protocol give the 
chooser additional information namely /i CT (z respectively) which can be used to 
verify the derived values yl. If there is a mismatch between them (e.g. /i CT > yT) 
then the chooser tries the next f for l = 1 (with probability P[£ = 1]) and so on. 

Setting 

We are in position now to clarify the setting of our attack (i.e. when it is feasible 
at all) and more precisely what we mean by T to be small (i.e. T -C N). We 
recall here that the security parameter k for the OT is the logarithm of The 
other security parameter k ensures only that the Paillier cryptosystem is secure 
and in this case ^ -C ^ (he. k > k) holds, i.e. we consider the case when 
i s non-negligible in k. Note that in some protocols it is implicitly assumed 
that T = N, but sometimes this requirement is not imposed. We want to point 
out that for all four protocols T is allowed to be small, moreover for the private 
SSP (used for PM intersection set problem) and the modified Subset Inclusion 
protocols we have explicitly T = 2. 

Recall that the chooser derives with probability P[£ = 0] upper bounds for 
all yi for i £ I, i.e. y,; < yl. Hence to break the security of the protocol, namely 
the sender’s privacy, it is sufficient that P[£ = 0] > (i.e. for I = [n] ) . Indeed 

the inequality holds, see (1). Thus the attacker obtains upper bounds for the 
secrets, which contradicts the security goal of the protocol. 

Now we will show that if the attacker tries to find the exact values y,; for some 
set I his success probability is negligible. The attack success probability P of 
finding the exact values y* is the product of the probability P[£ = 0] and the 
probabilities of ycd(r i; r) = 1 for those y,;, i 6 /, i.e. 


r = r[^o]n(i-P < ) = AjQ_i£_T i) 


n— 

x A Vi 


\Pi- 1 ) 


=^na-i) n 


Pi 

Pi - 1 ' 


Obviously the higher P is, the more successful the attack. In order to get the 
exact values of yi,i £ I, it is sufficient that P > 7f\r\ (tfie random guessing), but 
it is easy to verify that 




because T > 2 and taking y, = 2 for i e [n] \ I. Hence the success probability of 
this attack is indeed negligible. 

But the attacker still can mount a stronger attack than finding upper bounds 
for the secrets. Since the probability P,; = Pr[r, = p,; and r Gr h* N : gcd(r, ry) ^ 
1 and gcd(r/ri,ri) ^ 1] = ^ the attacker obtains with probability 
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P = P\t = 0] rLe/(l — that y t G {y, — 1, y,;} for % G I. This is the probability 
that rrij G {0,1}. Indeed when I = [n] it is easy to check that 


P 


i niLi(pf-i) A bLziK i 


holds since Pi > 2 and T > 2. Thus with probability P better than random 
guessing the attacker derives sets with two values for each of the secrets, which 
is particularly interesting when T > 2. 

To summarize, we have proved the inequalities: P\l = 0] > P > > P; 

and we have shown that yi <yi with probability P[£ = 0] and y* > yl — 1 with 
probability P. 


Example 

Let the system parameters are T = 5 and n = 2. If the attacker selects pi = 2 and 
P 2 = 3 the success probabilities of the attacks are as follows: P[£ = 0] = 2 ' 8 |^ 29 , 
P[l = 1] = P = and P = while the random guessing 

has probability ^ . Thus with approximately three times better probability than 
random guessing the attacker obtains the upper bound and with approximately 
twice better probability the lower bound for each secret. 

Discussion 

A natural question is why this attack doesn’t apply to the HOT and AIR pro- 
tocols? Recall that Psif(cj) = (IP.-, P), where Jp = /q + (a — i) sqiiod N and 
7 i = r,r Si mod N. But now since the sender chooses r and s, at random in Z,v 
the chooser can not derive s* from r\. The same trick precludes the attack in the 
original Subset Inclusion protocol described in Section 3.4. 

Now we clarify why we call the chooser irrational. Note that in order to 
mount the attack the chooser puts his privacy at risk. This happens because the 
Paillier cryptosystem is not secure if the used “random coin” is not random. It 
can be easily verified that if the attacker knows r then he can efficiently reveal m 
from Pfc(m,r). Thus if the sender knows that he is subject to an attack he can 
reveal the chooser’s private input(s). Thus in order to get the sender’s inputs 
the chooser has to bluff, which we call irrational behavior. 

Our attack does not contradict the semantic security of the Paillier cryptosys- 
tem since the attack is performed by the owner of the private key. More precisely 
the owner of the private key encrypts a message which is then modified by an- 
other entity and returned back to the owner, who decrypts it and tries to figure 
out what the modification was. We would like to point out that the additional 
information from the random coins affects OT protocols because of their specific 
nature. 


4.2 Attack Against Non-interactive Zero-Knowledge 

We apply the compilation technique from [12] to obtain from the zero-knowledge 
protocol described in Section 3.5 a non-interactive one. Then we show that in 
this different (compare to OT protocols) scenario our attack can be mounted too. 
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Setting 

Input: 

— The system setting is the tuple {p,p' ,gi,g2,hi,h,2) where p. p' are prime, p' 
is fc-bit long, p = 2 p' + 1 , g\ e Z* has order p' and g2,h\,h,2 € < gi >. In 
addition g 2 = g\ for some secret y £ Z* and hi = gfg ™ 1 , /12 = STS2 2 for 
some W\,W2 £ Z*. Let w £Z t and T -C AL 

— The tuple (p, p' , pi , <72 , hi , /12) is a common input to the prover and the verifier. 

— The prover gets w,w\,W2 as private input. 

— The verifier generates a (private, public) key-pair ( SK,K ) <— Gn{I k )- Then 
he generates a random challenge e £r Z* n , a random coin s £r Z* n and 
computes c <— £_R-(e, s). 

— The prover gets c and K as input. 

Output: The verifier checks whether log ffi (hi)mod y = log ff2 (/i2)mod y. 

Protocol Compile 

1 . The prover chooses random 3 fc-bit integers r,r\,V2 and computes ai = 
Pi p^inod p and 02 = g\g^TnoA p. 

2 . The prover computes c=Ek{v,s)c w , c\ =Er (jt, §i)c u ' 1 , C2 = Ek{v2,S2)c w ‘ 2 

with some random coins s, Si, §2 £r His proof is the tuple (01,02, c, Ci, C2). 

Verification 

1 . The verifier decrypts c,Ci,C2 obtaining Dsk(c) = ( z,r ), Dsk(ci) = (zi, Fi), 
Dsk(c2 ) = (22, fa)- Where z = r + ew, zi=ri+ ewi, Z2 = r2 + ew2- 

2 . Then the verifier checks that gfg^ 1 = ai/ifmod p and gfg^ 2 = 02/i2mod p. 

Note that the ciphertexts c, ci,C2 are randomized by the prover. The verifier 
can mount the attack as follows. Let us emphasize that we explicitly require 
w e Z T and T <C N. It is easy to compute that r = ss w , ff = Sis 1 " 1 , F2 = S2S W2 . 
In the setting phase the verifier chooses s to be a small prime number e.g. pi. 
Thus the probability that gcd(s,s) / 1 is Moreover since s £r Z* n the 
probability Pr[s,w : ss w < N] = ^ p T~i L ^~ 1 ^ 1 ) is larger than i. Hence the same 
type of attack can again be mounted by the verifier in the verification phase if 
the space from which w is selected is small. Bound for w can be derived, but 
not the exact value. Note that we intentionally modified the protocol from [ 12 ] 
to the Pedersen commitment, since the Pedersen commitment can perfectly hide 
any (even a small) secret w (by wi and «,>2 ) ■ 

4.3 Precluding the Attack 

Finally we propose an easy fix to the protocols in order to resist our attack. Note 
that all these protocols use an encryption of 0 to re-randomize the ciphertext. If 
more than one re-randomization is applied (e.g. two) then the probability P\l = 
0 ] = Pr[r, s £r Z* n : rs n"=i Pf < N] i s smaller than the probability P[l = 0 ] 
(OT case) multiplied by ^ ~ and therefore becomes negligible. The 
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probability can be computed by taking into account that Pr[r,s Gr Z* n : rs < 
x] = T,i=i Pr[s = i] Pr[r < x/i] = £ E^ 1 # = # \ < # Eti \- 

Thus we have shown that in these settings just one re-randomization is not 
sufficient, but two (or more) suffice. 


5 Conclusion 

We have described an attack against several OT protocols and protocols derived 
from OT such as private matching, oblivious polynomial evaluation and private 
shared scalar product, which are based on semantically secure homomorphic 
encryption scheme (e.g. Paillier’s). Some semantically secure encryption schemes 
possess the additional property (e.g. Paillier’s) - that they also decrypt the 
random coin used for the encryption. We have shown that in certain cases the 
information which can be derived from the random coin is sufficient even for 
a semi- honest chooser to obtain bounds for the sender’s private inputs with 
non-negligible probability. 

The following protocols could be subject to this attack: Stern at Asiacypt’98, 
Goethals et al. at ICISC’04, Chang at ACISP’04, Freedman et al. at TCC’05, 
Damgard et al. at TCC’06 if applied in the scenario, when the secrets belong 
to a space very small compared to the (Paillier’s) plaintext space. A fix which 
precludes the attacks is proposed. 

Acknowledgements. We would like to thank the anonymous reviewers of AC 
2006 for the very helpful comments and suggestions. 
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Abstract. We consider the problem of cheating in secret sharing 
schemes, cheating in which individuals submit forged shares in the secret 
reconstruction phase in an effort to make another participant reconstruct 
an invalid secret. We introduce a novel technique which uses universal 
hash functions to detect such cheating and propose two efficient secret 
sharing schemes that employ the functions. The first scheme is nearly 
optimum with respect to the size of shares; that is, the size of shares is 
only one bit longer than its existing lower bound. The second scheme 
possesses a particular merit in that the parameter for the probability of 
successful cheating can be chosen without regard to the size of the secret. 
Further, the proposed schemes are proven to be secure regardless of the 
probability distribution of the secret. 


1 Introduction 

A secret sharing scheme is a cryptographic primitive in which a secret is divided 
into shares and distributed among participants in such a way that only a qualified 
set of participants can recover the secret. It is a fundamental building block for 
many cryptographic protocols and is often used in the general composition of 
secure multiparty computations. While seminal papers were presented by Shamir 
[10] and Blakley [1] more than a quarter century ago, because of its importance 
in cryptography, it is still being studied actively today. 

Tompa and Woll have pointed out that in Shamir’s /c-out-of-n threshold secret 
sharing scheme, even a single user can fool other participants by submitting 
invalid shares at the secret reconstruction phase. They also proposed a scheme 
which can detect the fact of cheating when invalid shares are submitted at that 
point. Ogata, Kurosawa and Stinson also have presented an efficient scheme 
for detecting cheating [8] . While the size of shares in their scheme is proven to 
be optimum, the scheme is proven to be secure only if the secret is uniformly 
distributed, and the size of the secret will restrict possible value for the successful 
cheating probability. 

In this paper, we propose two efficient fc-out-of-n threshold secret sharing 
schemes which are secure regardless of the probability distribution of the secret. 
The first scheme is nearly optimum with respect to the size of shares; that is, the 
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size of shares is only one bit longer than its existing bound. In the second scheme, 
the size of shares is somewhat larger than the first scheme, but the second scheme 
possesses a particular merit in that the successful cheating probability can be 
chosen without regard to the size of the secret. This is not the case in either 
the first scheme or the scheme in [8] . The size of shares in the second scheme is 
much smaller than that in the scheme by Tompa and Woll, which is also secure 
for arbitrary secret distribution and whose successful cheating probability can 
be also chosen without regard to the size of the secret. The size of shares in the 
second scheme will be even smaller than that in [8] when e > |<S| -1 / 2 , where 
e denotes the successful cheating probability and S denotes the set of secrets 1 . 
This interesting phenomenon results from inflexibility of parameter values in 
[8]. Note that the condition e > |<S| -1 / 2 is quite reasonable since e is usually 
required to be 2 -128 or 2 -256 , whereas the the size of the secret can be as large 
as |S| = 2 1024 or more. 

The main idea of the proposed schemes is to use universal hash functions 
(more precisely, a variant of ASU 2 , an almost strongly universal class of hash 
functions) for cheating detection. Here, the key for the universal hash functions 
is distributedly shared together with the share of the secret. In reconstructing 
the secret, both the secret and the key are reconstructed, and each participant 
verifies that the secret and the hash value are consistent. We additionally provide 
some techniques to reduce the size of shares and to prevent the hash value from 
revealing any information about the secret. 

The rest of the paper is organized as follows. In Section 2, we briefly review 
models of secret sharing schemes capable of detecting cheating, and we discuss 
previous works done on them. In Section 3, we introduce a novel technique for 
detecting cheating via a universal hash family, and we present efficient schemes 
based on it. In Section 4, we describe two generalizations of the schemes pre- 
sented in Section 3. In Section 5, we introduce new models which deal with more 
powerful cheaters than those in existing models, and we present schemes secure 
in the new models. In Section 6, we summarize our work. 

2 Preliminaries 

2.1 Secret Sharing Schemes 

In secret sharing schemes, there are n participants V = {Pi , . . . , P n } and a 
dealer D. The set of participants who are allowed to reconstruct the secret is 
characterized by an access structure r C 2 V ; that is, participants P,;, , . . . , Pj fc are 
allowed to reconstruct the secret if and only if {P ii; . . . , P ik } £ P (for instance, 
the access structure of a fc-out-of-n threshold secret sharing scheme is defined by 
P = {A | A £ 2 V , | .4. | > k}.) A model consists of two algorithms: ShareGen and 
Reconst. Share generation algorithm ShareGen takes a secret s £ S as input and 
outputs a list (vi,V 2 , ■ ■ ■ ,v n ). Each t>,; £ V,; is called a share and is given to a par- 
ticipant Pj. Ordinarily, ShareGen is invoked by the dealer. Secret reconstruction 
algorithm Reconst takes a list of shares and outputs a secret s £ S. 


Throughout the paper, the cardinality of the set X is denoted by \X\. 
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A secret sharing scheme is called perfect if the following two conditions are 

satisfied for the output (vi , v n ) of ShareGen(s) where the probabilities are 

taken over the random tape of ShareGen. 

1. if { P ' il , . . . ,Pi k } 6 F then PrfReconst^, . . . , v ik ) = s] = 1, 

2. if {P il ,...,P ik } £ T then Pr[<S = s | V h = v h , . . . , V ik = v ik ] = Pr[<S = s] 
for any s £ S. 

2.2 Secret Sharing Schemes Secure Against Cheating 

A secret sharing schemes capable of detecting cheating was first presented by 
Tompa and Woll [12]. They considered the scenario in which cheaters who do not 
belong to the access structure submit forged shares in the secret reconstruction 
phase. Such cheaters will succeed if another participants in the reconstruction 
accepts an incorrect secret 2 . There are two different models for secret sharing 
schemes capable of detecting such cheating. Carpentieri, De Santis and Vaccaro 
[3] first considered a model in which cheaters who know the secret try to make 
another participant reconstruct an invalid secret. We call this model the “CDV 
model.” Recently, Ogata, Kurosawa and Stinson [8] introduced a model with 
weaker cheaters who do not know the secret in forging their shares. We call this 
model the “OKS model. ” 

As in ordinary secret sharing schemes, each of these models consists of two 
algorithms. A share generation algorithm ShareGen is the same as that in the 
ordinary secret sharing schemes. A secret reconstruction algorithm Reconst is 
slightly changed: it takes a list of shares as input and outputs either a secret or 
the special symbol |»!L 0 S.) Reconst outputs ± if and only if cheating has 
been detected. To formalize the models, we define the following simple game for 
any ( k , n) threshold secret sharing scheme SS = (ShareGen, Reconst) and for any 
(not necessarily polynomially bounded) Turing machine A = (Ai, A 2 ), where A 
represents cheaters P ^ , . . . ,Pi k _ 1 who try to cheat P lk . Please note that in this 
section and the next we will focus on the (k, n) threshold type access structure. 
A more general access structure will be discussed in Section 4. 

Game(SS, A) 

s <— S; II according to the probability distribution over S. 

(vi,...,v„) <— ShareGen (s); 

AipQ; 

// set X = s for the CDV model, X = 0 for the OKS model. 

« > • • • - *4_i - **•) +" A 2 (% , . . . , , A); 

The advantage of cheaters is expressed as Adv(SS, A) = Pr[s' g <S A s' ^ s] , 
where s' = Reconst)^ , t>' 2 , . . . ,v' ik _ i ,Vi k ) and the probability is taken over the 
distribution of S, and over the random tapes of ShareGen and A. 

2 Please note that here we focus on the problem of detecting the fact of cheating with 
unconditional security. Neither secret sharing schemes which identify cheaters [2,6] 
nor verifiable secret sharing schemes [9,4] are within the scope of this paper. 
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Definition 1. A ( k,n ) threshold secret sharing scheme SS is called a (k, n. e)- 
secure secret sharing scheme if Adv( SS, A) < e for any adversary A. 

2.3 Previous Work 

In this subsection, we briefly review the known bounds and constructions of 
( k , n, e)-secure secret sharing schemes. A lower bound for the size of shares in 
the CDV model is described as follows: 

Proposition 1. [3] In the CDV model, the size of shares for (k,n, e CDV )-secure 
secret sharing schemes is lower bounded by | V* | > . 

Ogata et al. improved this bound when the secret is uniformly distributed: 

Proposition 2. [8] In the CDV model, if the secret is uniformly distributed, 
then the size of shares | V* | for (k,n,e CDV ) -secure secret sharing schemes is lower 
bounded by | V* | > + 1 . 

Ogata et al. also presented the lower bound for the size of shares for ( k , n, e OKS )- 
secure secret sharing scheme in the OKS model as follows. 

Proposition 3. [8] In the OKS model, the size of shares for (k, n, e 0KS )~ secure 
secret sharing schemes is lower bounded by | V* | > + 1 . 

The following corollary may be seen to be straightforward from Proposition 2 
since it has to hold for a uniformly distributed secret. 

Corollary 1. In the CDV model, the size of shares for (k,n,e CDV )-secure se- 
cret sharing schemes which satisfy the following two conditions is lower bounded 
by | ^ | > +1. (1) Successful cheating probability is upper bounded by e 

regardless of the probability distribution of the secret. (2) Share generation is 
independent of the secret distribution (i.e. ShareGen does not need to know the 
secret distribution.) 

Because it is in general difficult to determine exact probability distributions, we 
do not consider here situations in which the share generation algorithm knows 
the secret distribution and shares are generated according to the distribution 3 . 

Within the OKS model, Ogata et al. have proposed an elegant (k,n,e OKS )- 
secure secret sharing schemes that satisfies the bound of Proposition 3 with 
equality [8]. The construction is summarized by the following proposition (please 
refer to [7] for the definition of difference set.) 

Proposition 4. [8] If there exists an ( N , l , A) difference set then there exists 
a (k,n,e OKS )- secure secret sharing scheme in the OKS model which satisfies the 
lower bound of Proposition 3 with equality. The scheme is secure if the secret is 
uniformly distributed. 

3 As mentioned in [8], an example exists in which the size of shares is smaller than 
the bound of Proposition 2 when the secret is not uniformly distributed and shares 
are generated according to the distribution. 
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However, there are two drawbacks in the scheme of [8]. The first is that the 
scheme is proven to be secure only if the secret is uniformly distributed. This 
drawback comes from the property of the scheme that the share of the target 
participant can be uniquely determined from the shares of k — 1 cheaters and 
the secret. Therefore, if there exists a secret which occurs with high probabil- 
ity then cheaters can guess the share of the target participant also with high 
probability, which causes the successful cheating probability larger than what 
is expected when the secret is uniformly distributed. The second drawback is 
that the successful cheating probability is uniquely determined from the size of 
the secret; that is, e 0K s is determined to be e 0K s = 1/|«S| in [8]. On the other 
hand, the scheme by Tompa and Woll [12] which is secure in the CDV model is 
proven to be secure for arbitrary secret distribution and the successful cheating 
probability can be chosen without regard to the size of the secret. However, the 
size of shares is as large as |V»| = + k) 2 . 

3 Proposed Schemes 

In this section, we propose two efficient (k, n, e CD v)-secure secret sharing schemes 
in the CDV model which are proven to be secure for any secret distribution. The 
first scheme is nearly optimum with respect to the size of shares; that is, the 
size of shares is |V,-| = |tS|/e 2 DV which is only one bit longer than the bound of 
Corollary 1. The size of shares in the second scheme is |V»| = |«S| (log |<S|) 2 /e^ DV . 
Though the size of share is larger than the first scheme, the second scheme 
possesses a particular merit in that the size of the secret and the successful 
cheating probability can be chosen independently. 

The underlying (and yet naive) idea of the schemes is to use almost strongly 
universal hash functions e CDV -ASU 2 for cheating detection. A family of hash func- 
tions H : A^> B with the properties (1) and (2) below is called an e-ASU 2 . (1) 
For any x € A and y £ B, \{h e £ H \ h e (x) = y}\ = |ff|/|B|. (2) For any xi,x 2 (^ 
xi) e A and y u y 2 e B, {h e £ H \ h e (x{) = yi,h e (x 2 ) = y 2 }\ = e\H\/\B\. where 
h e denotes the element of H indexed by the key e £ £ (clearly \H\ = \£\ holds.) 

Now, consider the secret sharing scheme in which a randomly chosen key e £ £ 
of H (where H : S — > B is e CDV -ASU 2 ) is shared as well as the secret s £ S using 
the Shamir’s (k,n) threshold secret sharing scheme and hash value b = h e (s ) 
is open to the public. In the reconstruction phase, a secret s and a key e are 
reconstructed and Reconst outputs s as the valid secret if and only if hf,(s) = b 
holds. Intuitively, the scheme seems to be ( k , n, e CDV )-secure in the CDV model 
since knowledge of the secret s does not help cheaters to compute s(A s) such 
that ftg(s) = b with probability better than e CD v- 

However, we must be careful about the following problems. The first problem 
is that the key e £ £ reconstructed from the shares is not always same as the 
original one since cheaters can forge the shares of the key for the hash func- 
tions. Therefore, we cannot prove the security of the above scheme directly from 
the properties of e-ASU 2 - The second problem is that public (and unforgeable) 
storage to store the hash value b = h e (s) is not always available. If the public 
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storage is not available then the hash value has to be included in the share of 
each participant, which makes the size of shares larger. Further, we must ensure 
that the hash value b = h e (s) does not reveal any information about the secret 
since the scheme is no longer perfect if it is not the case. To overcome the first 
problem, we choose the specific e-ASU 2 which can ensure security even when 
the key for the hash function is forged 4 . To overcome the second and the third 
problem, we fix the hash value b = h e (s) to be the constant (e.g. 0,) by which we 
can eliminate the public storage or additional shares without any loss of security. 

We use two families of hash functions to construct the schemes. The first 
scheme is based on the well known I-ASU 2 such that H = {/i e0iei | h e „ yei (s) = 
eo — s ■ ei, ej £ GF(p)} (e.g. [11].) The second scheme is generalization of the 
first scheme and is based on the hash family H = {h e0tei \ h e0jei (si , . . . , sjv) = 
e 0 — s j ' e i> e i e GF(p ) } which is proven to be ^-ASU-i [5]. 

3.1 Almost Optimum Scheme 

The share generation algorithm ShareGen and the share reconstruction algorithm 
Reconst of the first scheme is described as follows where p is a prime power. 

Share Generation: On input a secret s £ GF(p), the share generation algorithm 
ShareGen outputs a list of shares (tq, . . . , v n ) as follows: 

1. Choose random eo, ei £ GF(p) such that eo — s ■ ei = 0. 

2. Generate random polynomials f a (x), / eo ( ®), fe i(ar) € GF(p)[X] of degree 
k— 1 such that / s (0) = s, f eo ( 0) = eo and f ei ( 0) = ei- 

3. Compute Vi = /e 0 (*)> fe i(*)) and output (tq, . . . , v n ). 

Secret Reconstruction and Validity Check: On input a list of k shares (uq , . . . , 
Vi k ), the secret reconstruction algorithm Reconst outputs a secret s or 1 as 
follows: 

1. Reconstruct s, eo and ei from vi t . r Vi k using Lagrange interpolation. 

2. Output s if eo — s ■ ei = 0 holds. Otherwise Reconst outputs? jL 

The properties of the first scheme is summarized by the following theorem. 
Theorem 1. The scheme o/§5.1 is ( k , n, e)-secure secret sharing schemes in the 
CDV model with parameters |«S| = p,e = 1/p and |V*| = p 3 (= |<S|/e 2 ). Further, 
the scheme is secure for arbitrary secret distribution. 

The size of shares in the first scheme is only one bit longer than the lower bound 
of Proposition 2 since ^ < 2( + 1) holds for 5 > 2. 

3.2 A Scheme with Flexible Parameters 

In the first scheme, the successful cheating probability is uniquely determined 
from the size of the secret. On the other hand, the successful cheating probability 
can be chosen without regard to the size of the secret in the second scheme. The 
second scheme can be described as follows. 


Formal requirements for the family of hash functions are given in Section 4. 
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Share Generation: On input a secret s = (si,...,sjv) € GF(p) N , the share 
generation algorithm ShareGen outputs a list of shares (uj, . . . , v n ) according to 
the following procedure. Please note that we sometimes regard s = (si, . . . , sn) 
as an element of GF(p N ) instead of GF(p) N . 

1. Choose random eo, e\ £ GF(p) such that eo — J2jLi s i e 1 = 0- 

2. Generate a random polynomials j s {x) £ GF(p N )[X] and f eo (x), f ei (x) £ 
GF(p)[X] of degree k — 1 such that / s ( 0) = s, f eo ( 0) = eo and f ei ( 0) = ei. 

3. Compute Vi = / eo (*)> /ei(*)) and output (t'i , v n ). 

Secret Reconstruction and Validity Check: On input a list of k shares (u^ , . . . , 
Vi k ), the secret reconstruction algorithm Reconst outputs a secret s or T as 
follows: 

1. Reconstruct s, eo and e\ from Vi t , Vi k using Lagrange interpolation. 

2. Output s if eo — YljLi Sj&i = 0 holds. Otherwise Reconst outputs _L. 

The following theorem holds for the second scheme. Note that the successful 
cheating probability e can be chosen flexibly by choosing the prime power p. 

Theorem 2. The scheme of $3.2 is ( k , n, e)-secure secret sharing schemes in the 
CDV model with parameters |«S| = p N ,e = N/p, \Vi\=p N+2 (= |<S|(log p |<S|) 2 /e 2 ). 
Further, the scheme is secure for arbitrary secret distribution. 

Proof. Without loss of generality, we can assume Pi, ... , Pfc_i are cheaters and 
they try to cheat Pk by forging their shares v t = t’ eo ,i, v ei ,i) ( 1 < i < k — 1.) 

We consider two cases depending on whether the cheaters know the secret. 
In the first case, suppose that the cheaters know the secret. The cheaters obtain 
the following information about eo and ei from their shares Vi, ■ ■ ■ , Vk-i and the 
secret s 6 5: e< = LkV ett k + Lj v e t ,j (for t = 0, 1,), eo — s j ■ e{ = 0 
where v eo j- and v eit k are unknown to the cheaters and each Lj is a Lagrange 
coefficient. For simplicity, we will rewrite e, by e* = Li-v ei! k + Ci (for i = 0,1) 
where C, = Lj v ei ,j are known to the cheaters. Then we have 

L k v eo ,k + Co= EjLi g j • (LkV ei ,k + Ci) j . (1) 

Now suppose that the cheaters try to cheat Pk by forging their shares to -t:' = 
( l s,i! l e 0 i : v e! ,J (f° r 1 < i < fc I . ) They succeed in cheating Pk if e' a — 
i s j ‘ e i ~ 0 holds where e' 0 , and s'{^ s) are computed by e' 0 = LkV e0t k + 
X)j = i %We 0 j, e[ = L k v ei ,k + X)j= i L j v ’ ei j and s' = L k v Stk + X^=i L i v 's,j ■ Let 
C' = Lj v ' e .j (for i = 0,1) then the cheaters succeed in cheating if the 

following equality holds (please note that the cheater can control the values of 
Co,C[ and s' as they want by adjusting their shares. 5 ) 

L k v eo , k + C' 0 = £7=i s'j ■ ( L k v euk + C'^ (2) 

5 The cheaters can control s' since they can compute v Sik from their shares and s. 
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The successful cheating probability e is computed as follows: 
e = Pr[s' £ S As' ^ s} = Pr[eq. (1) and eq. (2) hold | eq. (1) holds] = N/p . 

We will show the above equation. The condition “eq. (1) and eq. (2) hold” is 
equivalent to “eq. (1) and eq. (3) hold” where eq. (3) is described as follows: 

+ Ci) j - Co = Ef=i^ • (L k v eu k + c[) j - C' 0 . (3) 

Now let J be the largest number such that sj / s'j, then eq. (3) can be rewritten 
as the univariate equation (sj — s'j)L^-v^ i k + J2jZ o a j' v l lt k = 0 of degree J with 
the variable v eij k where all the coefficients can be arbitrarily controlled by the 
cheaters except that ( sj — s'j)L J k ^ 0. This equation has at most J (< N) roots 
and for each root v eit k, there exists a unique v e0t k that satisfies eq. (1). Since 
the share generation algorithm ShareGen chooses actual (u eo ,fc, u ei ,fc) uniformly 
and randomly from the p pairs of (u eo ,fc, u ei ,fc) which satisfy eq. (1), we see that 
the successful cheating probability of the cheaters is upper bounded by N/p. 

Now we consider the second case in which the cheaters do not know the secret. 
In this case the successful cheating probability of the cheaters who forge their 
shares from Vi = (v Sti , u eo ,i, u eil i) to v\ = (v' Sti ,v' eoi ,v' eii ), where at least one v' si 
must satisfy v' si / v S)l , is computed as follows: 

e = EseS P ^ = s}Pr[s'eSAs'^s] 

= P r [^ = P r [ ec l- (1) and eq. (2) hold | eq. (1) holds] = N/p . 

The above equality holds since Pr[eq. (1) and eq. (2) hold | eq. (1) holds] = N/p 
holds for any s £ S. □ 

Note that the above proof includes the proof for Theorem 2 since the first scheme 
is achieved by setting N = 1 in the second scheme. 

4 Generalization 

In this section, we present more general results on the access structures and on 
the class of hash functions used to detect cheating. 

Though the schemes presented in Section 3 only deal with ( k , n) threshold type 
access structure, we can show that the proposed technique can be applied to any 
linear secret sharing schemes. A linear secret sharing scheme is a class of secret 
sharing schemes with the following properties: (1) The secret s is an element of 

a finite field F. (2) The shares (ui, . . . , v n ) are generated by (u'j., t’ 2 , v n ) = 

(s,ri,. . . where M is a fixed t x n matrix over F and each r t 6 F is 

chosen randomly. (3) For a set of participants V = [P^ ■ ■ . ■ , -Pq} £ -T and their 
shares (v ^ , . . . , ), the secret s is computed by s = X^jUi c v,j ■ fy, where each 

c-pj £ F is a constant uniquely determined from V . 

We can also generalize the class of hash function used to detect cheating. To 
characterize such class of hash function, we define a new class of hash function 
called strongly key- differential universal (e-SKDlfy for short) as follows: 
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Definition 2. A family of hash functions H : A B is called a strongly key- 
differential universal e-SKDU2 if there exists b G B such that for any distinct 
a, a' £ A and for any cG £, 

\{h e | egg, h e (a) = b, h e+c (a’)=b } | < f 
\{h e \ee£, h e (a) = b}\ 

Further, e-SKDU2 is called an “efficiently samplable” if there exists an efficient 
(i.e. polynomial time) algorithm to choose e G £ randomly from the set {e G £ \ 
h e (a) = b} for any a G A. 

The following theorem shows that we can construct secret sharing scheme ca- 
pable of detecting cheating in the CDV model from any linear secret sharing 
schemes over S and over £, and any efficiently samplable e-SKDU2 with the 
domain S. 

Theorem 3. If there exist linear secret sharing schemes over S and £ for a 
common access structure r and an efficiently samplable e-SKDU2 H : S —> B, 
then there exists a secret sharing scheme capable of detecting cheating for the 
access structure r in the CDV model such that the successful cheating probability 
is equal to e for arbitrary secret distribution. 

Proof. Let S and £ be a set of the secrets and the set of keys for e-SKDU2, re- 
spectively and let SSi = (ShareGeni, Reconsti) and SS2 = (ShareGen 2 , Record) 
be linear secret sharing schemes over S and over £ for the same access structure 
r, respectively. We construct a secret sharing scheme secure against cheaters 
SS = (ShareGen, Reconst) as follows. 

Share Generation: On input a secret s G S, the share generation algorithm 
ShareGen outputs a list of shares (vi,..., v n ) as follows: 

1. Choose a random e G £ such that h e (s) = b, which can be computed effi- 
ciently since the efficiently samplable e-SKDU2 is used. 

2. Generate (n s ,ii • • • , u S;n )<— ShareGeni (s) and (v e ,i> • • • , u e , n ) <— ShareGen2(e). 

3. Compute the share Vi = (««,•;, 'ty.i) of each P, and output {v\ , . . . ,v n ). 

Secret Reconstruction and Validity Check: On input t shares , . . . , Vi t ) such 
that {P il5 . . . ,Pi t } G r, the secret reconstruction algorithm Reconst outputs a 
secret s G S or T as follows: 

1. Compute s <— Reconsti . . . ,n Si j t ) and e <— Reconst2(n e ,i 1 , . . . 

2. Output s if hg(s) = b. Otherwise Reconst outputs _L. 

Now we show that SS = (ShareGen, Reconst) constructed above is e-secure. 
Without loss of generality we can assume that V = {Pi, . . . , Pt} is an element of 
P and that Pi, ... , P t _i are cheaters who try to cheat P t . There are two cases 
to consider. In the first case, suppose that the cheaters know the secret. 

Let Vi = ("I’s.i, t' e ,i) be the share of I\. Since the cheaters know their shares 
t’i , . . . , vt 1 and the secret s and that SSi and SS2 are the linear secret sharing 
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schemes, the cheaters know h e (s) = b holds where e is computed by e = c-p^v e ,t+ 
\ c P,j v e,j for a constant cp ,. Now suppose the cheaters try to cheat P t by 
forging their shares to v' i = {v' si ,v' ei ) (for J < i < t — 1.) They succeed in 
cheating P t if h e >(s') = b holds for e! and s' s ) computed by e' = c-p jt v e ,t + 
Y?j r Ji c v,o v 'e,ji s ' = c v,tV s ,t + Y,)^X c v, 3 v' s j. Since e' = e + Ej=i 
holds, we see that the cheaters succeed in cheating if h e+ c(s') = b holds where 

C = I c 'P,j( v> e .j ~ v e,j) is known to the cheaters. Therefore, the successful 

cheating probability e is computed as follows. 

Pr[s' 6 5 A / s] 

= Pr[/i e (s) = b and h e+c (s') = b \ h e (s) = b] 

_ Pr[/i e (s) = b and h e+ c(s') = b]_ \{h e \ h e (s) = b, h e+ c(s') = 6} | u, 

_ Pr[/i e (s) = S] _ | {h e | h e (s) = b}\ 

where the last equation directly follows from eq. (4). 

It can be proven that the successful cheating probability is upper bounded 
by e when the cheaters do not know the secret by the same technique used in 
Theorem 2. □ 

It is easily checked that the families of hash function used in the proposed 
schemes of Section 3 meet the requirements of efficiently samplable e-SKDU 2 - 
Constructions of e-SKDU -2 other than those used in the proposed schemes 
will be of independent interest. The following theorem shows that an e-SKDU 2 
(and therefore, a secret sharing scheme capable of detecting cheating) can be 
constructed from an e-ASU 2 with additional properties. 

Theorem 4. If a family of hash functions H : A — > B is an e-ASU 2 with the 
properties (1) and (2) below then H is an efficiently samplable e-SKDU 2 - 

(1) H is constructed from H& : A — > B of e-AA\Jz as follows, where e-AZ\U 2 is 
a family of hash functions such that \{h e € Hz i | h e (a ) — h e (a') = b}\ = e\H\ for 
any distinct a, a' £ A and for any b £ B. 

H = {h eo , ei | h eo , ei (a) = h' eo (a) + e u ti CQ £ H A ,e x £ B} 

(2) Hz i is linear with respect to the key; that is, h' e+e ,(a ) = h' e (a) + h' e ,(a) holds 
for any e, e 1 £ £ and for any a £ A. 

Proof. It is well known that the family of hash functions H constructed as above 
is e-ASUi (please refer to [11] for the proof.) Let b be an arbitrary element of B 
then we will show that H satisfies the conditions of an efficiently samplable e- 
SKDU 2 . First, it is easy to see that eo and ei such that h e0tei (a) = b is efficiently 
samplable by choosing eo £ £ randomly and by computing ei = b — h eo (a). 
Next, we show that eq. (4) holds for H. Since H is constructed based on H A 
with the property h' e+e , (a) = h' e (a) + h' e ,(a ) for any h ’ £ H A , /i eo+CO;ei+Cl (a) = 
h' eo+Co (a) + (ei + ci) = ( h' eo (a ) +ei) + {h' Co (a} + ci) = /i eo , ei (a) +h Co , Cl (a) holds 
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for any a £ A and for any (eo, ei), (co, ci) £ £ x B. Therefore, the following 
equation holds. 

| {/i eo , ei £ H | h eo , ei (a) = b, h ea+C0 , ei+Cl (a') = S}| 

= \{h eo , ei £ H | h eo , ei (a) = b, h eo , ei (a') = b - h Co , Cl (a')}\ 

= |{/i eo , ei e H | /i eo , ei (a) = b, h e0tei (a') = b'}\ = e\H\/\B\ 

where the last equation follows from the second condition of e-ASU 2 - Combining 
the above equation and the first property of e-ASU 2 : \{h eo . ei £ H \ h eo , ei (a) = 
b}\ = \H\/\B \ , we have = e for any dis . 

tinct a, a' £ A and for any (co, c\) £ £ x B. □ 

Please note that the family of hash function used in the first scheme is con- 
structed based on Theorem 4, whereas the family of hash function used in the 
second scheme is not. Therefore, we see that SKDU2 can be constructed by other 
means than Theorem 4. 

5 Coping with More Powerful Cheaters 

In this section, we consider the models with more powerful cheaters than those 
in the OKS and the CDV models and we present secure schemes against them. 

In the OKS model and the CDV model, the secret reconstruction algorithm 
Reconst is defined to take only a list of share (v ^, . . . , v lk ) as input. In actual 
schemes, however, the identities of the owners are usually required to 

reconstruct the secret. This means that we implicitly assume there exist means 
to know the correct identities of share holders in the secret reconstruction phase 
of both the OKS and the CDV models. In the real life, however, it is very diffi- 
cult to realize an identification scheme secure against adversaries with unlimited 
computational power. Therefore, it is highly desired to construct secret sharing 
schemes capable of detecting cheating without relying on secure identification. 

To this end, we define new models: the OKS + model and the CDV + model 
which are slight modifications of the OKS model and the CDV model, respec- 
tively. In both new models, we modify a secret reconstruction algorithm Reconst 
and a game Game" 1 " of cheaters A = (Ai, A 2 ) against SS = (ShareGen, Reconst) as 
follows. The secret reconstruction algorithm Reconst takes a list ((ii,;%), ('<2. v l2 ) , 
. . . , (ffc, Vi k )) of pairs of an identity it and a share v l( of Pi e . Cheaters in the new 
models are allowed to forge their identities as well as their shares. To characterize 
such cheaters, a game Game + is defined as follows. 

Game+(SS,A) 

s <— S; II according to the probability distribution over S. 

(vi,...,v n ) <— ShareGen (s); 

// set X = s for the CDV+ model, X = 0 for the 0KS+ model. 

•••> ^ Mv*!,- • -,Vi k _ 1, X); 
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The advantage of cheaters is redefined by Adv( SS, A) = Pr[s' g SAs' ^ s] , where 
s' = Reconst((i , 1 , (* 2 > w i')> • • • > {^k-i^ v i' k )> (ik,Vi k )) and the probability is 
taken over the distribution of S, and over the random tapes of ShareGen and A. 

Note that all the bounds for the OKS model (resp., the CDV model) (e.g. 
Propositions 1-3 and Corollary 1) are also valid for OKS+ model (resp., the 
CDV+ model) since a scheme secure in the OKS+ model (resp., the CDV+ 
model) are also secure in the OKS model (resp., the CDV model.) 

Though the schemes secure in the OKS model (resp., the CDV model) are 
not necessarily secure in the OKS + model (resp., the CDV+ model,) the scheme 
presented in [8] can be proven to be secure in the OKS + model and the scheme 
presented in [12] can be proven to be secure in the CDV + model. With respect 
to the proposed schemes, the first scheme can be shown to be secure in the 
CDV + model. However, the second scheme is not secure in the CDV + model. 
This is because the security proof of the second scheme strongly relies on the 
fact that the cheaters can not manipulate the Lagrange coefficient Lk, which is 
not the case in the CDV + model. When cheaters can manipulate the Lagrange 
coefficient as they want, they will succeed in cheating with probability one, which 
is possible by forging the Lagrange coefficient L k to L' k (^ Lk) in eq. (2) and by 
adjusting s'j , C' 0 and C[ to make eq. (2) equivalent to eq. (1). 

The good news is that the second scheme secure can be made secure in CDV + 
model by slight modification. The main idea of the modified scheme is to intro- 
duce a constant padding to a hash function. Specifically, we choose a key e of a 
hash families with which h e (s \ , . . . , sn, 1, 1, 0, 1) = 0 instead of choosing a key 
such that h e (si, . . . ,sn) =0 as in the second scheme. In this modified scheme, 
we can show that cheaters cannot make eq. (2) equivalent to eq. (1) unless they 
leave the Lagrange coefficient Lk and the secret s — (si,...,sjv) unchanged. 
The modified scheme can be described as follows. 

Share Generation: On input a secret s = (si,...,sn) e GF(p ) N , the share 
generation algorithm ShareGen outputs a list of shares (iq, . . . , v n ) according to 
the following procedure. Please note that we sometimes regard s = (si, . . . , sjv) 
as an element of GF(p N ) instead of GF(p) N . 

1. Choose random eo,ei g GF(p) such that eo — (e^ -1-4 + e k +2 + e k +1 + 
Ef=i^)=0. 

2. Generate random polynomials f s (x) g GF(p N )[X] and f eo (x),f ei (x) g 
GF(p)[X] of degree k — 1 such that / s (0) = s, f eo ( 0) = eo and f ei ( 0) = e\. 

3. Compute Vi = /e 0 (*)> fe i(*)) and output (tq, . . . , v n ). 

Secret Reconstruction and Validity Check: On input a list of k pair of identities 
and shares ((ii,^), . ■ . , (^Uj*.)),- the secret reconstruction algorithm Reconst 
outputs a secret s or T according to the following procedure. 

1. Reconstruct s, eo and ei from v^. . . . , Vi k using Lagrange interpolation. 

2. Output s if eo — (e k +i + e k +2 + e k +1 + Ejli {) = 0 holds. Otherwise 
Reconst outputs _L. 

Security of the modified scheme is summarized by the following theorem. 
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Theorem 5. The modified scheme presented above is (k, n, e)-secure secret shar- 
ing schemes in the CDV + model with the following parameters: |«S| = p N ,e = 
(iV+4)/p and |V»| = p N+2 (= |«S|(log p |<S|+4) 2 /e 2 ). Further, the scheme is secure 
for arbitrary secret distribution. 

Proof. The proof is similar to that of Theorem 2. Let P :j (1 < j < k — 1) 
be cheaters who try to cheat Pk by forging their identities j to ij(f- k) and 
corresponding shares to v[. = {v' si .,v' eoi .,v' eii .) (1 < j < k — 1.) 

As in the proof of Theorem 2, we consider two cases depending on whether the 
cheaters know the secret. In the first case, suppose that the cheaters know the 
secret. The cheaters obtain the following information about eo and ei from their 
shares v \, . . . , Vk-i and the secret s e S: ei = L k v et)k + Y^j=i Lj v e e ,j = 0, 1), 
eo — (ef +4 + e^ +2 + e^ +1 + EyLi s j ' e {) — 0 where v e0tk and v eitk are unknown 
to the cheaters and each Lj is a Lagrange coefficient. For simplicity, we will 
rewrite e* by e* = LkV^k + Cj (for * = 0,1) where C* = Ej=i known 

to the cheaters. Then we have the following equality. 

LkV eo ,k + C 0 = E je{ l,2,4}( i ^e 1 ,fc + Ci)*** + Ef=l Sj ■ (Lfct> ei ,fc + (5) 

Now suppose the cheaters Pj (1 < j < k — 1) try to cheat Pk by forging their 
identities to ij and by forging corresponding shares to v[. = {v' si .,v' eoi .,v' eii .). 
They succeed in cheating P k if e' 0 — (Ej={i, 2 , 4 } e'\ + ^ + EyLi s j ' e i ) = 0 holds 
where and s'(^ s) are computed by e' t = L' k v 0t $ + Ej=i-hq^,q (for 

£ = 0, 1), s' = -b^fc + Ej^qX.b ' Let C t = ijc ( for * = 0, 1) then 

the cheaters succeed in cheating if the following equality holds (as in Theorem 
2, the cheaters can control the values of C' 0 , C\ and s' as they want.) 

L' k v e o,fc + c' 0 = E m ±, m (L' k v ei , k + C[) N+ i + Ef =1 «; • (L' k v ei , k + C[y (6) 

The successful cheating probability e is computed by e = Pr[s' e S A s' ^ s] = 
Pr[eq. (5) and eq. (6) hold | eq. (5) holds]. We will show that e = (N + P)/p. 
First, assume that eq. (5) is not equivalent to eq. (6) (i.e. L' k x eq. (5) is not 
identical to L k x eq. (6).) In this case, e is proven to be (N + 4 )/p by similar 
discussion to the proof of Theorem 2. Next, we will show that if the cheaters make 
eq. (6) equivalent to eq. (5) then successful cheating probability becomes 0. This 
can be proven by showing that eq. (5) is equivalent to eq. (6) only if the L' k = L k , 
C[ = Ci (for i = 0,1) and sj = s' (for 1 < j < N) since the cheaters succeed 
in cheating only when P k accepts s' such that s' s. Suppose L k x eq. (5) and 
L' k x eq. (6) are identical then their coefficients of v k +4 ,v k +3 ,v k +2 and v k +1 
must be identical. Therefore, we have the following equations. 


L' k L% +4 = L k L' k +A 
( Ar 1 +4 )CiL , fc Lf+ 3 = ( N + 4 )C[L k L' k N+3 


(7) 

(8) 



Almost Optimum Secret Sharing Schemes Secure Against Cheating 


377 


( (T) ^ + l) L' k L0 = ( ( JV + 4 ) C' 2 + l) L k L' k N+2 (9) 

( r 3 +4 ) <?i 3 +(T) + i) 4^?* = ( (^T) Cf + (***) C[ + l) L k L'^ +1 (10) 

From eq. (7) and eq. (8) we have L k +3 = L’ k +3 and C\/L k = C[/L’ k . Using 
these relations eq. (7)-eq. (10) can be rewritten as follows. 

L% +3 = L' k N+3 , Ci/Lk = C[/L' k , L% +1 = L[ n+1 , if = Lf 

The above equalities holds if and only if L k = L' k and C\ = C[. Further, s :l = s'- 
(for 1 < j < N) can be also derived from the condition that the coefficients 
of v k in eq. (5) and eq. (6) are identical. Finally, Co = C' 0 is derived from the 
condition that the constant terms of eq. (5) and eq. (6) are identical. 

Now we consider the second case in which the cheaters do not know the secret. 
In this case the successful cheating probability of the cheaters who forge their 
identities and corresponding shares from (j, (v s j, v eo j, v ei j)) to (ij, {v' s i . , v' eo i . , 
v' ei j.)) is computed as follows: 

e = £ s65 Pr[S = eS As' 

= £ se5 Pr[<S = s] Pr[eq. (5) and eq. (6) hold | eq. (5) holds] = (N + 4) /p . 

The above equality holds since Pr[eq. (5) and eq. (6) hold | eq. (5) holds] = 
(N + 4) jp holds for any s e S. □ 


The following theorem gives a generalized result analogous to Theorem 3. 

Theorem 6. If there exist linear secret sharing schemes over S and £ for a 
common access structure r and a family of hash functions H : S —> B which 
satisfies the conditions (l)-(3) below, then there exists a secret sharing scheme 
capable of detecting cheating for the access structure r in the CDV + model such 
that the successful cheating probability equals e for arbitrary secret distribution. 


1. Addition and (scalar) multiplication over the set of keys £ of H are defined. 

2. There exists b e B such that for any distinct a, a' e A and for any Co and 

or € h ^ = h ’ = < e holds. 

| {h e \ e e £ , h e (a) = b}\ 

3. There exists an efficient (i.e. polynomial time) algorithm to choose e € £ 
randomly from the set {e £ £ \ h e (a) = 6} for any a £ A. 


Proof. The proof is similar to that of Theorem 3. Let S and £ be a set of the 
secrets and the set of keys for a function family H, respectively. Further, let 
SSi = (ShareGeni, Reconsti) and SS 2 = (ShareGen 2 , Record) be linear secret 
sharing schemes over S and over £ for the same access structure T, respectively. 
The share generation algorithm ShareGen and Reconst are identical to those 
defined in the proof of Theorem 3 except that the family of hash functions used 
here meets the condition 1-3 of Theorem 6. 



378 


S. Obana and T. Araki 


Now we show that the above SS = (ShareGen, Reconst) is e-secure even when 
the cheaters forge their identities as well as their shares. Without loss of general- 
ity we can assume that V = {Pi , . . . , P t } is an element of P and that Pi , . . . , P t ~ 1 
are cheaters who try to cheat P t . There are two cases to consider. In the first 
case, suppose that the cheaters know the secret. Let Vi = (v s j, v e j) be the share 
of Pj. Since the cheaters know their shares vi, ... , v t -\ and the secret s and that 
SSi and SS 2 are the linear secret sharing schemes, the cheaters know h e (s) = b 
holds where e is computed by e = cp t tv e j. + Y^j-\ c v,j v e,j f° r a constant c-p^. 
Now suppose the cheaters try to cheat P t by forging their identities from j 
to ij (for 1 < j < t — 1) and corresponding shares to v[ = («{;., v' ei .) (for 
1 < j < t — 1.) They succeed in cheating P t if h e >(s') = b holds for e! and s’ s ) 
computed by e' = dp^ t v e ,t + X^=i ,% 3 v ’e.i 3 1 s ' = ^ p,t v s,t + X^=i c p,i,X,q ■ 

Since e! = (^y^)e + ^ *’’*•’ • v e j) holds, we see that the 

cheaters succeed in cheating if /iCo-e+Ci (s 7 ) = b holds where C'o = e' v t /c-p, t and 
C\ = Y?j= ,i v 'e,ij — V ’c' T ’’* 3 ‘ v e,j ) are known to the cheaters. Therefore, the 
successful cheating probability e is computed as follows. 

Pr[s' e S A s' ^ s] = Pr[/i e (s) = b and hc 0 - e +Ci{ s ') = ^ I ^e(s) = b] 

_ \{h e | h e (s) = S, h Co . e+ cAs') = b}\ < £ 

I {he | h e (8) = b}\ 

where the last equation directly follows from the condition (2) of Theorem 6. 

It can be proven that the successful cheating probability is upper bounded 
by e when the cheaters do not know the secret by the same technique used in 
Theorem 5. □ 

6 Conclusion 

In this paper, we proposed two efficient (k, n, e CDV )-secure secret sharing schemes 
in the CDV model which are proven to be secure for arbitrary secret distribution. 
The first scheme is nearly optimum with respect to the size of shares; that is, the 
size of share is only one bit longer than the lower bound of Corollary 1. In the 
second scheme, the size of share is larger than that in the first scheme. However, 
the second scheme possesses a particular merit in that the successful cheating 
probability can be chosen without regard to the size of the secret. Table 1 below 
compares the bit length of shares in the three schemes for the various security 
parameters where the secret is 1024 bit and the access structure considered is 3- 
out-of-5 threshold type access structure. Compared to the scheme of [12] the size 
of shares in the proposed scheme (the second scheme) is smaller for all security 
parameters. It is interesting to note that, when e > |<S| -1 / 2 , the size of the share 
in the proposed scheme is even smaller than that in [8] which is proven to be 
secure only in the OKS model. This is because e is determined to be e = 2 -1024 
when the secret is 1024 bit in the scheme of [8]. Therefore, e is forced to be 2 -1024 
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Table 1. Comparison table of the bit length of the shares (for the secret of 1024 bit) 


| e || Proposed Scheme | Tompa and Woll | Ogata et al. 


T_ 

T_ 

r_ 

2“ 


1286 

1540 

2050 

3072 


2306 

2562 

3074 

4098 


2048 

2048 

2048 

2048 


in [8] even when we only require the security level of e = 2 -128 or e = 2 -256 , 
which makes the size of share larger than that in the proposed scheme when e 
is relatively large (please note that e = 2 -128 or e = 2 -256 will be secure enough 
in most settings.) 

It will be a future study to find (k, n, e CDV )-secure secret sharing schemes in 
the CDV model which are secure for arbitrary secret distribution and the bound 
of Corollary 1 is satisfied with equality. 
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Abstract. We introduce KFC, a block cipher based on a three round 
Feistel scheme. Each of the three round functions has an SPN-like struc- 
ture for which we can either compute or bound the advantage of the best 
d-limited adaptive distinguisher, for any value of d. Using results from 
the decorrelation theory, we extend these results to the whole KFC con- 
struction. To the best of our knowledge, KFC is the first practical (in the 
sense that it can be implemented) block cipher to propose tight security 
proofs of resistance against large classes of attacks, including most classi- 
cal cryptanalysis (such as linear and differential cryptanalysis, taking hull 
effect in consideration in both cases, higher order differential cryptanaly- 
sis, the boomerang attack, differential- linear cryptanalysis, and others). 


1 Introduction 

Most modern block ciphers are designed to resist a wide range of cryptanalytic 
techniques. Among them, one may cite linear cryptanalysis [19,20,23], differential 
cryptanalysis [7,8], as well as several variants such as impossible differentials [5], 
the boomerang attack [27] or the rectangle attack [6]. Proving resistance against 
all these attacks is often tedious and does not give any guarantee that a subtle 
new variant would not break the construction. Rather than considering all known 
attacks individually, it would obviously be preferable to give a unique proof, valid 
for a family of attacks. 

In [26] , Vaudenay shows that the decorrelation theory provides tools to prove 
security results in the Luby-Rackoff model [18], i.e., against adversaries only 
limited by the number of plaintext/ciphertext pairs they can access. Denoting 
d this number of pairs, the adversaries are referred to as d-limited distinguish- 
es. Unfortunately, this class of adversaries does not capture the most widely 
studied statistical attacks such as linear and differential cryptanalysis. Instead, 
these attacks are formalized by so-called iterated attacks of order d [25]. This 
class of attacks was initially inspired by linear and differential cryptanalysis and 
actually formalizes most of the possible statistical attacks against block ciphers. 
For example, linear cryptanalysis is an iterated attack of order 1, differential 
cryptanalysis is of order 2, and higher order differential cryptanalysis [16, 15] of 
order i is an iterated attack of order d = 2*. 

* Supported by the Swiss National Science Foundation, 200021-107982/1. 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 380-395, 2006. 
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It is proven that resistance against all 2d-limited distinguishers is sufficient 
to resist iterated attacks of order d [26]. Consequently, designing a block cipher 
resistant to d-lirnited distinguishers for a large d is enough to resist most standard 
attacks against block ciphers. Obviously, this is not a trivial task as, to the best 
of our knowledge, no efficient block cipher was ever designed to resist d-limited 
distinguishers for d > 2 [14,26]. 

In a previous article entitled “Dial C for Cipher” [1], we presented a block 
cipher construction provably resistant against (among others) linear and differ- 
ential cryptanalysis (where the linear hull [21] and differentials [17] effects are 
taken into account, which is unfortunately not usual in typical proofs of security 
of block ciphers), several of their variants, 2-limited distinguishers and thus, all 
iterated attacks of order 1. Our aim in this article, is to design a block cipher 
based on the same principles as C but provably secure against d-limited distin- 
guishers for large values of d. We call this construction KFC as it is based on 
a Feistel scheme. KFC is practical in the sense that it can be implemented and 
reach a throughput of a few Mbits/s. Just as the typical security proofs of block 
ciphers do not compare to ours, the encryption speed reached by KFC does not 
compare to those of nowadays block ciphers. 

Constructions based on the decorrelation theory have already been proposed. 
COCONUT98 [24] was one of the first efficient block cipher based on decorre- 
lation concepts. It resists 2-limited distinguishers but can be attacked by David 
Wagner’s boomerang attack [27], which is an iterated attack of order 4. Of course 
this does not prove that the decorrelation theory is useless, but only that decor- 
relation results do not prove more than what they claim. KFC is designed to 
resist d-limited distinguishers (and consequently, iterated attacks up to a given 
order), nothing more. 

High Overview and Outline of the Paper. Before building a provably secure 
block cipher, we need to define precisely against which class of attacks it should 
be resistant. The adversary model and some reminders about the decorrelation 
theory are given in Section 2. Then, in Section 3, we give some hints about why 
we chose to use a Feistel scheme [13] for KFC. A description of the structure of 
the random functions we use in the Feistel scheme is then given in Section 4. 
The exact advantage of the best 2-limited distinguisher is computed in Section 5, 
and in Section 6, we bound the advantage of higher order adversaries. 

2 Security Model 

In this paper, a perfectly random function (resp. permutation) denotes a random 
function (resp. permutation) uniformly distributed among all possible functions 
(resp. permutations). Consequently, when referring to a random function or a 
random permutation, nothing is assumed about its distribution. 

The Luby-RackofF Model [18]. We consider an adversary A with unbounded 
computational power, only limited by its number of queries d to an oracle O 
implementing a random permutation. The goal of A is to guess whether O is 
implementing an instance drawn uniformly among the permutations defined by 
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a block cipher C or among all possible permutations, knowing that these two 
events have probability \ and that one of them is eventually true. Such an 
adversary is referred to as a d-limited adaptive distinguisher when he adaptively 
chooses his queries depending on previous answers from the Oracle or as a d- 
limited non-adaptive distinguisher when all the queries are made at once. In both 
cases, the ability of A to succeed is measured by mean of its advantage. 

Definition 1. The advantage of A of distinguishing two random functions Fq 
and Fi is defined by Ad v A (F 0 , Fi) = j Pr[A(F 0 ) = 0] - Pr[A(Fi) = 0] | . 

Informally, a secure block cipher C (i.e., a random permutation) should be in- 
distinguishable from a perfectly random permutation C*, i.e., the advantage 
Adv^((7, C*) of any adversary A should be negligible. A secure random func- 
tion F should be indistinguishable from a perfectly random function F*, i.e., the 
advantage Adv^(F, F*) of any adversary A should be negligible. Apart from very 
specific (and usually non-practical) constructions, computing the exact advan- 
tage of the best d-limited distinguisher is not straightforward. The decorrelation 
theory [26] gives some tools that will allow us to compute (or at least bound) 
this advantage for KFC. 

Reminders on the Decorrelation Theory. Let F : {0, l} n — > {0, l} n be a 

random function. The distribution matrix [F] d of F at order d is a 2 nd x 2 nd 

matrix defined by [F]^ xi = Pr F [F(a:i) = yi,.. .,F(x d ) = yd]- If Fi 

and F 2 are two independent random functions, we have [F 2 oFi] rf = [Fi] d x [F 2 ] d . 
The advantage of the best distinguisher between F and F* only depends on the 
distance between [F] d and [F*] d , whose exact definition will depend on whether 
the considered distinguisher is adaptive or not. 

Definition 2. Let A e {0, lj nd x {0, l} nd be a matrix indexed by d-tuples of 
elements in {0, l} n . We let: 

IINIIoo^max^ \ A {^...,x d ),( yi ,..., Vd )\ and 

fillet = niax ^ • max ^ ] A (xi ,.... XdUvi ! . 

yi Vd 

Property 3 (Theorems 10 and 11 in [26]). Let F be a random function 
and F* be a perfectly random function. The advantage of the best d-limited 
non-adaptive distinguisher A is such that Adv^(F,F*) = i|||[F] rf — [F*] d ||| (X) 
whereas the advantage of the best d-limited adaptive distinguisher A a is such 
that Adv^ a = i||[F] d - [F*] d || a . 

An iterated attack of order d consists in iterating independent non-adaptive d- 
limited attacks with random inputs. The algorithm of Fig. 1 gives a more formal 
definition of this concept. For example, linear cryptanalysis is an iterated attack 
of order 1 where T ( X , Y) = <i'X ® b'Y (where a and b respectively denote 
the input and output masks) and where X is an uniformly distributed random 
variable on text space. Similarly, differential cryptanalysis is an iterated attack 



KFC - The Krazy Feistel Cipher 383 


Parameters: a complexity n, a distribution on X, a test function T 
outputting one bit, a set S 
Oracle: a permutation C 

2: pick X = (Xi . . . . . X,jj at random 

3: getY = (C(X 1 ),...,C(X d )) 

4: set T, = T(X, Y) 

5: end for 

6: if (Ti, . . . ,T n ) € S then output 1 else output 0 end if 


Fig. 1. Iterated attack of order d 


of order 2 where T((X\, X 2 ), (hi, Y 2 )) is 1 when Y\ © Yj = b and 0 otherwise 
and where X\ is a uniformly distributed random variable and X 2 = X\ ® a. 
As proved in Theorem 18 in [26] bounding the advantage of the best 2d-limited 
non-adaptive adversary is sufficient to bound the advantage of any adversary 
performing an iterated attack of order d. Roughly speaking, a block cipher C 
with a negligible order 2d decorrelation 1 1 1 [C] 2d —[C*} 2d \\ is resistant to iterated 
attacks of order d. 


3 From the SPN of C to the Feistel Scheme of KFC 

The block cipher C (introduced in [1, 2]) is based on the same substitution- 
permutation network (SPN) as the AES [11], except that the fixed substitution 
boxes are replaced by mutually independent and perfectly random permutations. 
It achieves goals similar to those we want to achieve with KFC: being resistant 
against 2-limited adversaries, it is secure against all iterated attacks of order 1 . 
These results were obtained by exploiting strong symmetries (induced by intrin- 
sic symmetries of the confusion and diffusion layers) in the order 2 distribution 
matrix of C. Unfortunately, we were not able to exhibit similar symmetries for 
higher orders. It appears that layers of perfectly random permutations are suit- 
able for proving security results at order 2, not above. 

Instead of explicitly computing the advantage of a d-limited distinguisher 
we will try to bound it by a function of the advantage of the best (d — 1)- 
limited distinguisher, and apply this bound recursively down to order 2 (which 
we know how to compute). This seems clearly impossible with layers of random 
permutations as two distinct inputs will always lead to two correlated outputs. 
However, this is not the case anymore when considering a layer of mutually 
independent and perfectly random functions. For instance, two distinct inputs 
of a perfectly random function yield two independent outputs. Similarly, if the 
two inputs of a layer of functions are distinct on each function input, the outputs 
are independent. This extends well to a set of d texts: if one text is different from 
all the others on all function inputs, the corresponding output is independent 
from all other outputs. A formal treatment of this idea is given in Section 4. 
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Fig. 2. Increasing the decorrelation order using a layer made of small independent and 
perfectly random functions 


However, layers of random functions cannot always be inverted and thus do 
not fit in a classical SPN structure. The straightforward solution is to use a 
Feistel scheme [13]. Moreover, decorrelation results on the round functions of a 
Feistel scheme extend well to the whole construction. 

Theorem 4 (Theorem 21 in [26]). Let F* be a uniformly distributed ran- 
dom function on {0, 1}”. Let Fi, . . . , F r be r independent random functions on 
{0,1}” such that Adv^(Fj, F*) < e (i = 1 ,...,r) for any adversary A. Let 
C = \P(Fi, . . . , F r ) be an r round Feistel cipher on {0, l} 2 ". For any adversary 
A limited to d queries and for any integer k > 3, we have: 

1 / 2 d 2 \ Lr/fcJ 

Ad VA (C,C*)<-[2ke+^j 

This theorem shows that if we can instantiate independent random functions 
secure against all d-limited distinguishers, we can obtain a block cipher provably 
secure against any d-limited distinguisher. In the following sections, we focus on 
building a round function Fkfc following the ideas we have introduced here. 

4 A Good Round Function Fkfc f° r the Feistel Scheme 

To analyze the behavior of a layer of random functions, we analyze the construc- 
tion F = S 3 o F 2 o Fi where F\ : {0, 1}" — > {0, 1}” is a random function, S3 is a 
random permutation, and F 2 is a layer made of small independent and perfectly 
random functions (see Fig. 2(a)). We assume that Fi, F 2 , and S3 are mutually 
independent. We obtain an interesting property, making it possible to relate the 
order d decorrelation of F to its order d — 1 decorrelation. We consider a set of d 
inputs of the function F and denote the corresponding random outputs of Fi by 
X\, . . . ,Xd, where X k = ( X jp, . . . ,A)yy) for k = 1, . . . ,d. Let a be the event 
{3A; s.t. V) Xkj £ {Xi 7 j, . . . , Xk~i,j,Xk+ij, . . . , that is, a is the event 

that one of the inputs is different from all the others on the N blocks. If a oc- 
curs, at least one of the outputs of the functions layer is a uniformly distributed 
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random variable independent from the others. More formally, if we denote A d 
the best d - limited adversary trying to distinguish F from F*, we have: 

Ad v Ad (F,F*) = |1 - 2 • Pr [A d (F) = 1] | 

= 1 - 2 • (Pr[A*(F) = l|a] Pr[o] + Pr [A d (F) = l|a] Pr[a]) | 

< Adv Ai ,(F,F*)Pr[«] + |1 - 2 • Pr [A d (F) = l|a] |Pr[o] 

< Adv^.^F.F^ + Prla], (1) 

where the first inequality comes from the fact that if a occurs, at least one output 
of F is completely independent from all the others. As S 3 is a permutation, it 
preserves this independence. Therefore, when a occurs, a d-limited distinguisher 
cannot be more efficient than the best (d— l)-limited distinguisher (this is formally 
proven in Appendix A by looking at the definition of the decorrelation norms). 

Why this is not Enough. From the previous inequality, it seems natural to 
consider a substitution-permutation-like construction made of an alternance of 
layers of independent and perfectly random functions and layers of linear diffu- 
sion (as shown on Fig. 2(b)). Intuitively, one could think that (as it is the case 
when iterating random permutations) iterating random functions is sufficient 
to decrease the advantage of a distinguisher. However, this is definitely not the 
case. Indeed, consider a 2-limited attack where the two plaintexts are equal on 
N — 1 blocks and different on the last block. There is a non- negligible probability 
2 ~ i that, after the first layer of functions, both outputs are completely equal, 
thus leading to a distinguisher with advantage 2~ t . For practical values of £ (e.g., 
I = 8), this is not acceptable. This means that we need a good resistance against 
2-limited adversaries to initialize the recurrence relation of equation (1). 

The Sandwich Technique. As proven in [1] , an SPN using layers of mutually 
independent and perfectly random permutations is efficient against 2-limited 
distinguishers. Intuitively, this means that any set of d inputs will lead to a 
set of d pairwise independent outputs. As we will see in Section 6, pairwise 
independence is exactly what we need to apply the recursive relation (1). 

For these reasons the construction we chose for F K fc consists in sandwich- 
ing the construction sketched on Figure 2(b) between two SPN using layers of 
mutually independent and perfectly random permutations. 

Description of Fkfc- The round function F«fc used in the Feistel scheme 
defining KFC is based on three different layers: 

• a substitution layer S made of N mutually independent and perfectly random 
t bit permutations, 

• a function layer F made of N mutually independent and perfectly random £ 
bit functions, 

• a linear layer L which is a N x N matrix of elements in GF(2^) defining an 
MDS code (for optimal diffusion), which requires N < 2 e ~ 1 . 

Let n and r 2 be two integers. The round function F«fc of KFC is defined as: 

*KFC = Tkfch,^) = S o (L O F) r * O (L O sr. 
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5 Computing the Advantage of the Best 2-Limited 
Distinguisher Against .Fkfc 

As all layers of Fkfc are mutually independent, the order 2 distribution matrix 
[Fkfc ] 2 can be expressed as 

[Fkfc ] 2 = [S o (L o F)- o (L o Sff. = ([S] 2 x [L] 2 ) n x ([F] 2 x [L] 2 )- x [S] 2 . 

Each of these matrices is a 2 2n x 2 2 ” square matrix, which makes direct com- 
putations impossible for practical parameters. In the rest of this Section we 
will exploit symmetries in order to reduce the computation to a product of 
(N + 1) x (N + 1) square matrices. For simplicity, we respectively denote by S, 
F, and L the distribution matrices [S] 2 , [F] 2 , and [L] 2 and let q = 2 e . 

5.1 Conversion Matrices 

Definition 5. Considering a £ {0, 1}” as a N-tuple of elements in {0, l} e , 
the support of a is the binary N-tuple with 1 ’s at the non- zero positions of 
a and 0 elsewhere. It is denoted SUPP(a). The weight of the support, denoted 
w(supp(a)) or w(a), is the Hamming weight of the support. When considering 
a pair x, x' £ (0, 1}", the support of the pair is SUPP(a: ® x'). 

Distribution matrices at order 2 are indexed by pairs of texts. Using symmetries 
at two levels, we will first shrink them to 2 N x 2 N matrices indexed by supports 
of pairs and then to (N + 1) x (N + 1) matrices indexed by weights. To do so, 
we define the following conversion matrices. 

Pair of texts •*-> Support of pair. We let PS (resp. SP) denote the matrix 
that converts a pair of texts into a support (resp. a support into a pair of texts) 
in a uniform way. That is: 

PS(x,x'),j = l7=SUPP(x©x') an d SP'y',(y,y') = ^-Y=SVPP(y®y')Q N (l ~ 1) W ^ 7 \ 
where x, x' , y, y' £ {0, 1}" and 7, 7' £ {0, lj-A One can note that SP x PS = Id. 
Support of pair •*-> Weight. Similarly, we let WS (resp. .S' IT) denote the 
matrix that converts a support into a weight (resp. a weight into a support) in 
a uniform way. That is: 

SW 1 , w = l wh)=w and WS w > lY = l w(Y)=w , (^y 1 , 

where 7, 7' e (0, 1}* and w, w' £ (0, . . . , N}. We have WS x SW = Id. 

Pair of texts <-► Weight. Finally we let PW = PS x .SIT and WP = WSx SP 
so that we obtain: 

PW {XtX%w = 1^®^ and WP w , M) = I Hym ^O~\- N {q-l)- w '. 


Again, we have WP x PW = Id. 
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5.2 Shrinking F and S, the First Step 

Let x, x', y, y' £ GF (q) N . As the N random functions of the F layer are mutually 
independent, we can express the coefficients of the distribution matrix F as 


= q- q ' N n #{/i ; GF («) - GF (?) : fM = Vi - fi{<) = Vil- 


la. the case where supp(?/ ® y') SUPP(a; ® x 1 ), we have F ( x ,x’),(y,y') = 0- When 
supp(?/ ® y') C supp(a; ® x'), the uniform distribution of the /*’ s leads to: 

p -q-N -w{x®x')+q-N-N _ -w(x®x')-N 

r (x,x'),(y, V ') — q q — q > 

and we see that F only depends on support of pairs. Consequently, 

F( x ,x'),(y,y') = lsuPP(y©2/')CsuPP(x©x')9 w( - X ® X ^ N 


~ El l7=SUPP(x©x')l7'=SUPP(^©^')l7'^7^ 

= E PS( x , x ' )n l-y>c 7 q- wM (q - 1 ) W ^SP Y , 


Defining the 2 N x 2 N matrix F by F 7i y = ly<z-,q w ^\q — 1) u '(t'') we obtain: 

F = PS x F x SP. (2) 

Similarly, for the S layer we have: 

S(x,x'),(^/,^/ , ) = lsupp(x©x')=suppb/©y')9 N (q— 1) W ( X<S>X ) = E PS(x,x'),- ySP-y, (y,y‘) 
and thus, 

S = PS x SP. (3) 


5.3 Shrinking L, the Second Step 

Given the structure of F«fc> each linear layer L is surrounded by S or F layers. 
From equations (2) and (3) , this means that each matrix L is surrounded by the 
conversion matrices PS and SP. Denoting L = SP x L x PS we obtain: 

Ef = E E SP 'y,(x,x') L (x,x , ),(y,y') PS (y,y'),'y' 

(*,x') (y,y') 

= q N (q— 1) W ^ l7=SUPP(x©x , )l7 , =SUPP(L(x©x')) 

= ( 9 _ 1 )-(7 ) E 1 7=£ 


3 (x) l7'=SUPP(L(x)) • 
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The sum in this equation is the number of texts of a given support 7 that are 
mapped by the MDS linear layer L on a text of support 7 '. The number of 
codewords with given supports can be explicitly computed for any MDS code 
(see Theorem 3 in [12]) and, amazingly, only depends on the weights of the 
supports 7 and 7 '. We obtain the following formula: 

L 7 , y = (9-1)- 


o) ’ 


Vw(7)+w(7 / )> 

where E(i) = ( 2 f ) E}=jv+i ~ !) for * > N, E( 0 ) = 1 , and 

E(i) = 0 for 0 < i < N. As the previous equation only depends on the weights 
of 7 and 7 ', we can shrink L even more: 


= £_U ( 7 

= £««, 


w 1 w(Y)= W '{q - 


(9-1)“ 


E(w 


LZ') 


U. 


Defining the (N + 1) x (N + 1) matrix L by L WiW i = (^)) ( q — 1) 


L = SW x L x WS. 


A Brief Summary of the Situation. We started from [Tkfc] 2 = (Sx L) ri x 
(F x L ) r2 x S. To makes things clearer, we consider the case where n = 1 and 
r ‘2 = 2. Using equations (2), (3), and (4) we obtain: 

[Fkfc] 2 = SxLxFxLxFxLxS 

= PS x SP x L x PS x F x SP x L x PS x F x SP x L x PS x SP 
= PS x SW x E x WS xFx SW x E x WS xFx SW x E x WS x SP 
= PW x E x WS x F x SW x E x WS x Fx SW x E x WP. 

Now we focus on the simplification of WS x F. 

5.4 Shrinking WS X F, the Third (and Last) Step 
We have: 

(WS X F)„, 7 . = £ IVS„, 7 F,. y = 0~\- w (q ~ l)" y) £ U( 7)= „l 7 .c 7 

so that (WiS x F) Wj7 / only depends on w and on the weight of 7 '. Conse- 
quently, letting F be the (N + 1) x (N + 1) matrix defined by F u ,. u ,< = q~ w (q — 
1 )™ l w > w > (“,), we obtain: 

WS x F = F x WS. 
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Final Summary of the Situation. From the previous summary and the last 
shrinking step, we finally obtain that: 

[Fkfc] 2 = PW xtxFx WS x SW xtxFx WS x SW x E x WP 
= PW xExFxExFxEx WP. 

In the general case, this means that [Fkfc] 2 = PW x (L) ri x (F x L ) r2 x WP. 

5.5 Practical Computation of the Advantage 

The expression we just obtained for [Fkfc] 2 leads to a simple practical expression 
for ||[Fkfc] 2 _ [F*] 2 || a . Noting that an adversary cannot increase his advantage 
asking twice the same query, we have: 

III^kfc] 2 - [F*] 2 1| « = max ^ max ^ I^kfc]^, */),(„,„/) - Q~ 2N \ ■ 
y y' 

Let U be the (N + 1) x (N + 1) matrix defined by Uw, w > = q~ N (q— l) w ' (^,), so 
that for all x, x ' , y, y' we have {PW xUx WP)^ x>x i)^y >y /) = q~ 2N . Consequently, 
III-F’kfc] 2 - [E*] 2 || a is equal to: 

max max Y | (PW x ((E) ri x(Fx E) r2 - U) x WP ) ( ^ ^ ; J . 

As the inner matrix only depends on w(x ® x') and of w{y ® y’), we get 
ll[W - [F*] 2 \\a = max£ | ((E)- 1 x (F x Ef 2 - u) ^ | 

Similar computations show that |||[Fkfc] 2 — [-P 1 *] 2 |||<x> = ||[-Pkfc] 2 — [-P’*] 2 ||a- 

Theorem 6. Let L, F, and U be ( N + 1) x {N + 1) matrices defined as above. 
The advantage of the best 2-limited distinguisher A (whether adaptive or not) 
against Fkfc = S o (L o F) r2 o(Lo S) ri is given by: 

Adv^(FKFC, F*) = \ max^ | ((E)* x(Fx Ep - u)^ ^ | . 

Explicit values of this advantage for some typical values of N, q, n and r 2 are 
given in Table 1. We note that ri = 3 is enough (at least for these parameters). 
Moreover, the advantage increases with the value of r 2 - The reason is that the 
more F layers there is, the higher is the probability of an internal collision. 

6 Bounding the Advantage of the Best d-Limited 
Distinguisher Against Fkfc for d > 2 

6.1 Replacing F by F o S 

To simplify the proofs, we will replace each F layer of Fkfc by F o S. Both 
constructions are completely equivalent in the sense that any decorrelation result 
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Table 1 . Advantage of the best 2-limited distinguisher against Fkfc 



holding for the latter also holds for the original construction, the reason being 
that [F o S] d = [F] d (see Appendix B for a proof). From now on, we thus study 
the following equivalent construction: 

Fkfc = F KFC[ri ,r 2] = S o (L O F O Sp O (L o Sp. 

Assumption 7. For rq > 2, any i € {0, . . . , f 2 } and any 2-limited distinguisher 
A 2 , we have Adv^ 2 (F KFC[ri)r2] ,F*) > Adv^ 2 (F KFC[riii] ,F*). 

This assumption seems natural from Table 1, although it might prove wrong in 
the general case (in particular, the threshold for rq might be different for other 
values of N and q). However, we experimentally verified it for all values of the 
parameters we consider in the rest of this paper. 

In practice, Assumption 7 means that, when the advantage of the best 2- 
limited distinguisher against Fk F c is negligible, this is also the case before any F 
layer. The inputs of any F layer can thus be considered as pairwise independent. 

6.2 Taking Advantage of the Pairwise Independence 

Let i 6 (0, . . . , r 2 }. Referring to Section 4, we denote cq_ i the event a and let 
Fi = FKpq^ j-!], F 2 = F, and S 3 = S o L. We these notations, F KF q riii ] = 
S 3 o F 2 o Fi, so that equation (1) gives 

Adv^(F KF c[ ri)i ],F*) < Adv^ d _ 1 (FkFc[r 1) *ft#*} -F-Pr[a<_i]. 

Bounding Pr[cJj_i] for all i allows to recursively bound Adv_ 4 d (FK F c[n,j]; F*). As 
in Section 4, we denote the output of Fi by Xi.. . . . X d where, for k = 1, ... ,d, 
we have X k = (Xf.j , . . . , X^n). Let 0 < A < d be the number of X^s different 
from all other texts on all N blocks. We have: 

d N d 

tel 6=1 .3=1 

Using the linearity of the mean and the mutual independence of the N blocks, 
we obtain F(A) =d-(Pr[X 1A $ {X 2)1 , . . . ,X dA }]) N . 
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Property 8. For d > 0 we have Vd = P^X^i ^ {X 2; i, . . . , -X’d.i}] > 1 — Ap 
and thus, E( A) > d ■ (l — ^-) N ■ 

Proof. The proof is done by induction on d. For d = 1 the result is trivial. 
Assume Vd > 1 - (d — l)/q for an arbitrary d. As stated in Section 6.1, we can 
assume that the Xj’s are pairwise independent and thus: 

V d+1 =V d - Pr[X M g {X 2jl , . . . ,X dtt } , X u = X rf+M ] 

>V d - Pr[X 1A = X d+1A ] = V d -l. 

The expression we obtained for E( A) leads to the final result. □ 

Using this result, we can easily bound Pr[a»] as E( A) = YUl-i fcPr[A = k] < 
dPr[A ^ 0 ] = dPr[aj], so that, for all i € {0, . . . ,r 2 }, 

Pr[ai] < 1 — < 1 — (l — ■ (5) 


6.3 Piling-Up the Rounds 

Obviously, the bound on Pr[a*] we just obtained cannot be used directly to obtain 
a meaningful bound on the advantage of high order distinguishers. Consequently, 
we will consider t successive a,; events and give an upper bound on the proba- 
bility that none of them occurs. We have Pr[ai, . . . ,a t ] = Pr[a t |ai, . . . ,a t - 1 ] • 
Pr[ai, . . . , a t _i]. As the bound on E( A) only relies on the pairwise indepen- 
dence of the inputs of the i-th round, the bound given by equation (5) can also 
be proven for Pr[a t |ai, . . . ,<5 t _i]. By induction, we finally obtain that: 

Pr[a 1; . . . , at] < (l - (l - ^ • 

Theorem 9. Assume that the advantage of the best 2-limited distinguisher on 
pKFC{ri,r ? ] bounded by e. For any d and set of integers {£ 3 , . . . ,t d } such that 
^2i— 3 U < r 2 , the advantage of the best d-limited distinguisher A d on FKFC[ri,r 2 ] 
is such that: 


Adv^(F KFC[ri>r 2 ] ,F*) < *+E (l - (l - ' 

Fixing n = 3, the previous theorem bounds, for any value of d, the advantage 
of the best d-limited distinguisher against a given number of rounds r 2 of Fkfc- 
In Table 2 we give the best bounds we obtain for various values of r 2 , d, N, and 
q. If one aims at a specific value of d and wants to select r 2 in order to bound 
the advantage of the best d-limited distinguisher, the best choice is probably to 
select the tfs such that Pr[ai, . . . , at,] < e, which bounds the advantage by d- e. 
The following theorem generalizes this idea. 
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Table 2. Bounds on Adv^ for n = 3 and various parameters 



TV = 8 and 

2 = 2 8 


TV = 8 and 

= 2 16 



2 

3 

4 

8 

16 

32 

64 

2 

3 

4 

8 

16 

32 

64 

10 

^52 

^40 

^17 

r 17 

"T" 

1 

T 

2-ne 

2-U6 

2-57 

2 -u 

1 

1 

1 

100 

2 -49 

2 -49 

2~ 49 

2~ 46 

2 -11 

1 

1 

2 -113 

2 -113 

2- 113 

2 -113 

2 -66 

2 -23 

2 -5 

250 

2 -48 

2 -48 

2 -48 

2-48 

2 -33 

2 -5 

1 

2 -112 

2"' i12 

2 - 112 

2-U2 

2 -112 

2-69 

2-25 

1000 

2 -46 

2~46 

2~46 

2-46 

2-46 

2-35 

2 2 

2 _11 ° 

2-no 

2 -uo 

2~ 110 

2 -110 

2 -uo 

2-uo 
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Theorem 10. Assume that the advantage of the best 2-limited distinguisher 
against -Fkfc [n,r 2 ] bounded by e. Let: 


td{0) = min {Pr[ai, . . . , a t ] < 0 • e} = [ — - ] • 

For any d such that 3 (/?) < r^, the advantage of the best d-limited distin- 
guisher Ad against FKFC[ri,r 2 ] suc h that: 

d / Ar\;W tm 

Adv^(F K FC lT 1 ,r a ],F*)<e + Y l \l-(l-!f) ) < e ■ (1 + (d — 2) ■ j3). 


7 Conclusion 

We introduced KFC, a block cipher based on a three round Feistel scheme. Each 
of the three round functions has an SPN-like structure for which we can either 
compute or bound the advantage of the best d-limited adaptive adversary, for any 
value of d. Using results from the Decorrelation Theory, we extend these results 
to the whole KFC construction. At this time, no key schedule has been specified 
for KFC. We suggest to use the same trick as in [1], i.e., use a key schedule based 
on a cryptographically secure pseudo-random generator (for example the good 
old BBS [10] or a faster generator like QUAD [4,3]). This way, all the results 
we have proven assuming the mutual independence of the random functions and 
permutations remain valid when implementing KFC in practice with a 128 bit 
secret key. We propose two sets of parameters: 

Regular KFC: N — 8, q — 2 8 , r 1 — 3, r 2 = 100. These parameters 
lead to provable security against 8-limited adaptive distinguishers. Consequently, 
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Regular KFC is resistant to iterated attacks of order 4, which include linear and 
differential cryptanalysis, the boomerang attack and others. Based on existing 
implementation results on C, we estimate the encryption speed of Regular KFC 
to 15-25 Mbits/s on a Pentium IV 2GHz. The key schedule needs to generate 
approximatively 2 22 cryptographically secure pseudo-random bits. 

Extra Crispy KFC: N = 8, q — 2 10 , ri = 3, r 2 = 1000. Using these quite 
extreme parameters, we manage to obtain provable security against 70-limited 
adaptive adversaries, but encryption rate could probably never reach more than 
1 Mbit/s. Also, the key schedule should produce 2 35 pseudo random bits, which 
means that Extra Crispy KFC requires at least 4 GB of memory. 

To the best of our knowledge, KFC is the first practical block cipher to propose 
tight security proofs of resistance against large classes of attacks, including most 
classical cryptanalysis (such as linear and differential cryptanalysis, taking hull 
effect in consideration in both cases, higher order differential cryptanalysis, the 
boomerang attack, differential-linear cryptanalysis, or the rectangle attack). 
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A Proof of 1 1 - 2 • Pr [A d (F) = 1 \ a] \ = Adv Ai _ 1 (F, F*) 

Without loss of generality, we can assume that the adversary does not make the 
same query twice (as this would not increase its advantage) and that the event a 
is true for the rftli query. In this case, we know that ( F 2 o Fi)(x d ) is a uniformly 
distributed random variable independent of (F 2 o F\)(xi) for all i < d. As S3 is a 
permutation, this property is still true for (S3 o F 2 o Fi)(x d ) = F(x d ). Denoting 
by Y this random variable we have: 

Pr[F(aq) = yi, . . . , F(x d ) = y d \a] = Pr[F(aq) = yi . . . F(x d - 1) = y d -i,Y = y d \ 
= 2“"Pr[F(a;i) = y x . ..F(x d - 1) = y d - 1]. 
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Let A = 1 1 — 2 - Vr[A ( i(F) = 1 | a]|. Similarly to the proof of Theorem 10 in [26] 
we know that: 

A= i max^- • • max^ |Pr[F(xi) = y u . . . , F(x d ) = y d \a] - 2~ d ' n \ . 

Xl vi Xd l Id 

From the two previous equations we obtain that: 

^4 = \ max^- • • max^ 2~ n |Pr[F( a : 1 ) F(x d _*f = y d ^} - 2~^ n \ 

yi yd 

= i max^' • • max ^ |Pr[F(aq) = yi . . . F{x d i) = y d - 1] - 2“ (d_1) ' T, '| 

Xl y i Xd ~ 1 Vd-i 

= Adv^_ 1 (F,F*). 

B Proof That [F o S] d = [F] d 

For any x = (aq. x d ), y = (yi, - ■ ■ ,y d ) € {0, l} nrf we have: 

[ FoS ]fx,3/) = Pr[(aq,...,a: d ) & (yi,...,y d )\ 

= II Pr [( x bi 5 • • • - x d,i) F ° C ' (yi,i, ■■■, Vd,i I 

= n 2lT p r[(c(xi,j), . . . , c{x dd )) £-+ (yi d , y d ,i )] 

= n ^T\ Pr [(*M> • • • - x d,i) (c _1 (yi,i), • ■ • , c _1 (yd,i))] 

d 

= II • • • - x d,i) (yu- ■■■■ yd,i )] 

= Pr[(xi, . . . , x d ) (yi,...,y d )] 

= Pff-or) 
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Abstract. In this paper, we describe generic attacks on unbalanced Feis- 
tel schemes with contracting functions. These schemes are used to con- 
struct pseudo-random permutations from kn bits to kn bits by 
using d pseudo-random functions from ( k — 1 )n bits to n bits. We 
describe known plaintext attacks (KPA) and non-adaptive chosen plain- 
text attacks (CPA-1) against these schemes with less than 2 kn 
plaintext /ciphertext pairs and complexity strictly less than 0(2 kn ) for a 
number of rounds d < 2k — 1 . Consequently at least 2k rounds are neces- 
sary to avoid generic attacks. For k = 3, we found attacks up to 6 rounds, 
so 7 rounds are required. When d > 2k, we also describe some attacks on 
schemes with generators, (i.e. schemes where the d pseudo-random func- 
tions are generated) and where more than one permutation is required. 

Keywords: unbalanced Feistel permutations, pseudo-random permuta- 
tions, generic attacks, Luby-Rackoff theory, block ciphers. 


1 Introduction 

Feistel schemes are widely used in symmetric cryptography in order to construct 
pseudo-random permutations. In trying to design such scheme, one of the natural 
questions is: what is the the minimum number of rounds required to avoid all 
the “generic attacks” . By generic attacks we mean all the attacks effective with 
high probability when the round functions are randomly chosen. We are mainly 
interested in generic attacks with a complexity that is much smaller than a search 
on all possible inputs of the permutation. 

Many results are known on classical (balanced) Feistel schemes. In [7], Luby 
and Rackoff have shown their famous result: for more than 3 rounds all the 
generic chosen plaintext attacks on Feistel schemes require at least 0(2%) inputs. 
Moreover for more than 4 rounds all the generic attacks on adaptive chosen 
plaintext/ciphertext require at least 0(2%) inputs. These bounds are tight [1,10]. 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 396-411 
© International Association for Cryptologic Research 2006 


L, 2006. 
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It has also been proved that to avoid all attacks with less than 2 2 " computations 
at least 6 rounds of balanced Feistel schemes are needed [2,11,12]. This result is 
still valid if the round functions are permutations [5,6]. For more than 6 rounds, 
some attacks are still possible but with more than 2 2n computations [11]. All 
these results on classical Feistel schemes are summarized in Table 1 : 

Table 1 . Results (from [12]) on G'i- For more than 6 rounds more that one permutation 
is needed or more than 2 2n computations are needed in the best known attacks to 
distinguish G l from a random permutation with an even signature. 



KPA 

CPA-1 

CPCA-2 

G L 2 

1 

1 

1 

Gl 

2? 

2 

2 

G% 

2#? 

2% 

3 

G\ 

2 n 

2 n/2 

2t 

Gl 

2 3n/2 

2 n 

2 n 

Gl 

2 2n 

2 zn 

2 2n 

Gl 

2 3n 

2 3n 

2 3 " 

Gl 

Gt,d> 8 

2 4 u 

2 ( fc — 4)» 

2 4n 

2 (fc-4)n 

2 4 " 

2 (fc-4)n 


The aim of this paper is to look for similar results for the case of unbalanced 
Feistel schemes with contracting functions: we call such schemes “contracting 
Feistel Schemes”. A precise definition of these schemes is given in Sect. 2. The 
case of unbalanced Feistel schemes with expanding functions instead of contract- 
ing functions is studied in [4,14,15]. Some results on contracting Feistel schemes 
or on small transformations of these schemes can be found in [8,9]. In [9], Naor 
and Reingold studied the security of contracting Feistel schemes with pairwise 
independent permutations. They show lower bounds for the security of such 
schemes. Lucks [8] gives some security results on contracting Feistel schemes 
built with hash functions. 

The paper is organized as follows. In Sect. 2 and 3, we introduce notations 
and present precise definitions of the considered schemes and an overview of our 
attacks. In Sect. 4, we study attacks for k = 3 and d < 6. Then in Sect. 5, we give 
attacks for any k and d < 2k — 1. Finally, Sect. 6 is devoted to what can be done 
with more than 2 kn computations. In particular, we describe attacks against 
permutation generators. All the results are summarized in the conclusion: these 
tables extend the above Table 1 to the case of unbalanced Feistel schemes with 
contracting functions. 

2 Notation 

Our notation is very similar to that used in [7] and [9]. We also follow the 
construction given in [9]. [a, b] denotes the concatenation of strings a and b. An 
Unbalanced Feistel Scheme with Contracting Functions G % is a Feistel scheme 
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with d rounds. At round j, we denote by fj the round function from (k — 1 )n 
bits to n bits. On some input [I 1 , 1 2 , I k ], Gf produces an output denoted by 
[S' 1 , S 2 , ... , S k ] by going through d rounds. At each round, the last ( k — l)n bits 
of the round entry are used as an input to the round function fj, which produces 
n bits. Those bits are xored to the first n bits of the round entry. Finally before 
going to round j + 1, the kn bit value is rotated by n bits. 

We introduce the internal variable X ] : it is the only n-bit value which is 
modified at round j and which becomes the k coordinate of the internal state 
after j rounds. For example, we have: 

X 1 = I 1 &MV 2 , ■■■,!% 

X 2 = I 2 ®f 2 ([I 3 ,...,I k ,X 1 ]), 

X 3 = I 3 ®f 3 {[l\...,I k ,X\X 2 ]), 


The first round of Gf is represented in Fig. 1 below. 


I 1 1 2 I 3 I k 



I 2 I 3 I k X 1 =f 1 0/i([/ 2 ,...,/ fc ]) 

Fig. 1 . First Round of Gf 

3 Overview of the Attacks 

We present several attacks that allow us to distinguish G'j. from a random permu- 
tation. Depending on the number of rounds, it is possible to find some relations 
between the input variables and output variables. Those relations hold condi- 
tionally to equalities of some internal variables due to the structure of the Feistel 
scheme. Our attacks consist in using m plaintexts and ciphertexts tuples and in 
counting the number Af G d of pairs of these tuples that satisfy the above relations. 
We then compare N g a with the equivalent number M verm if a random permuta- 
tion is used instead of Gf. Our attack is successful, i.e. it is able to distinguish 
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Gf from a random permutation if the difference \E(J\f G d) — E(Af perrn )\ is much 
larger than the standard deviation a perm and than the standard deviation a G d , 
where E denotes the expectancy function.More general cases of succes are also 
given in the extended version of this paper [13]. 

In order to compute these values, we need to take into account the fact that the 
m 2 pairs obtained from the m plaintext /ciphertext tuples are not independent. 
However their mutual dependence is very small. To compute <J perm and o G d , we 
will use this well-known formula that we will call the “Covariance Formula” : 

n») = + £[£(%,%) - 

i i<j 


where the Xi are random variables. 

We can note that for a small number of rounds d < k, a distinguishing at- 
tack is very easy to find. The output of Gf. is [S 1 , S 2 , ... , S k ] which is equal to 
[. I d+1 , . . . , I k , X 1 , . . . , X d \. This shows that we can easily mount a KPA attack 
with one single message. We just have to test if the first coordinate of the out- 
put is equal to the coordinate of rank d + 1 of the input. This leads us to start 
investigating attacks for scheme with at least k rounds. 

4 Generic Attacks When k = 3 and 3 < d < 6 

We first study schemes with k = 3 since this case is slightly different from the 
general case k > 4 and since it gives simple examples of what we will do. We 
have [Sj,Sf, Sf] = Gg([//, 7 2 , If]). 


4.1 Attacks on 3 Rounds: Gf 

G\ : 3 rounds, CPA-1 with m = 2 messages. Let us choose /f = if, 7f = If and 
If ^ I\. Then the attack just tests if S/ © S\ = I] © 1\ . This will occur with 
probability 1 if / is a and with probability ~ ^ if / is a random permutation. 
So with three rounds there is a generic attack with two non-adaptive chosen 
queries and 0(1) computations. 

G'l : 3 rounds, KPA with m ~ 2” messages. It is possible to transform this non- 
adaptive chosen plaintext attack into a known plaintext attack as follows. If we 
have m > 2” random inputs [if , if, if], then (since m 2 > 2 2n ) with a good 
probability we will have a collision If = If and If = if , i / g. Then we test if 
Sf © Sf = If © if. Now the attack requires 0(2") random queries and 0(2") 
computations. 

4.2 Attacks on 4 Rounds: Gg 


When the output [I 1 , 1 2 , 1 3 ] is given, we have introduced the internal variable 
X 1 = I 1 © /i([7 2 ,/ 3 ]) and the following conditions hold: 
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{ If = If and If = If => Xj © X] = 7/© Ij 

If = If and Xj = Xj => Sj 0 Sj = If 0 If 

Xj = Xj and Sj = Sj => Sf 0 Sf = If 0 If 

Sj = Sj and Sf = Sf => Sf 0 Sf = Xj 0 Xj 

The attack exploits the second condition. It proceeds as follows: we choose m 
messages such that Vi, If = 0 and If ^ If for all i / j. We then count Af G 4 the 
number of pairs (i,j) with i < j such that if 0 if = Sj 0 Sj. For a random 
permutation, this condition appears only by chance. Thus we get: 



Here O(^w-) denotes the standard deviation. This can be easily proved using the 
Covariance Formula, see Appendix A or full version of this article [13] . 

For G 3 , the equation if 0 If = Sj 0 Sj can occur at random with probability 
2~ n or from the internal collision Xj = Xj. Since if is equal to zero for all i, we 
have Xj = Ij 0 ( [if , 0]). Sine fi is a random function and the J 2 are pairwise 

distinct, the values fi([lf, 0]) and consequently the Xj are uniformly distributed 
random variables. Consequently the internal collision Xj = Xj appears with 
probability 2~ n and we have: 


where O(fjw-) denotes the standard deviation (proof is given below). We can 
distinguish the two permutations when the difference between the mean values 
is larger than the standard deviation i.e. when -, i.e. for m > 2%. This 

generic attack requires 0(2 1 ) random queries and 0(2 1 ) computations. 

As explained previously, we can transform this attack in a known plaintext 
attack with m ~ 2 ". 

Proof of the Standard Deviation a G 4 

We introduce the following random variables: 

f Sij = 1 if If 0 If = Sj 0 Sj 
\ Si,j = 0 otherwise. 

Since we have chosen all the If equal to zero, we can say equivalently that 

dij is equal to one when / 2 ([0,3f/]) = / 2 ([ 0 ,X|]). Af G * is defined as 

and it is easy to compute E(Sij) = Jr — We now compute the variance 

V(Sij) = E(Sf£ - E(6 itj ) 2 = E(5 id ) - E(5i tj ) 2 = ^ + 

recall the Covariance Formula: 

= E mi) + E M • 

i<j i<j i<j,k<l,(i,j)jt(k,l) 
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We need to compute Cov(i,j,k,l ) = E{Sij 6k, i) — E(6i,j) E(6k,i ) Let us first 
consider the case, where i,j,k,l are pairwise distinct We need to consider the 
influence of the equality / 2 ([0, X/]) = / 2 ([ 0, Xj]) over the equality / 2 ([0, Xj]) = 
/ 2 ([0, Xj\). It can only happen if Xj. ^ Xj and if either Xj = Xj and Xj = Xj 
or Xj = Xj and Xj = Xj. In that case we have also Xj ^ Xj. This event 
happens with probability (l — Ar) and both equalities have a probability ^ 
instead of ^ • This gives a covariance equals to 

_2 4_ _2_ 

2 3 n 2 4n + 2 5n ' 

The second case is if both equations are sharing an index, for example i = k 
We need to consider the influence of the equality / 2 ( [0 , Xj } ) = / 2 ( [0 , Xj } j over 
the equality / 2 ([0, Xj]) = / 2 ([0, Xj]). It can only happen if Xj ^ Xj. This event 
happens with probability (l — Ar) Ar and both equalities have a probability Ar- 
mstead of jir. This gives a covariance equals to 

1 2 1 

2 ^ - 

Consequently we have 



Since m is smaller than 2", we get: 

m 2 m 

VWg$) - ^7 and a Gt ~ 

4.3 Attacks on 5 Rounds: G| 

For 5 rounds, the internal variables are X 1 and X 2 = / 2 © / 2 ([/ 3 , X 1 ]). We have 
the following conditions: 

I lj = lj and If = If ^Xj®Xj=lj®lj 
If = If and Xj = Xj => X? ® Xj = If ® Ij 
Xj = Xj and X 2 = Xj => Sj ® Sj = if ® if 
Xf = Xj and Sj = Sj =► Sf ® Sj = Xj ® Xj 
Sj = Sj and Sf = Sj => Sf ® Sj = Xf © Xj 

The attack proceeds as follows: we choose m messages such that Vi, If = 0, 
If = 0 and the Ij values are pairwise distinct. Notice that this directly implies 
Xj ® Xj = Ij © Ij , so the Xj values are pairwise distinct. Let J\f be the number 
of pairs (i,j), i < j such that Sj = Sj and Ij © Ij = Sf © Sj. With a random 
permutation, these two conditions appear by chance and we have: 
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Here O(^) is the standard deviation. For a G§, Sj = Sj and Ij ® Ij = Sf ® Sj 
appear at random or as a consequence of Xf = X? and Sj = Sj. This gives: 


•A/<3| 


We can distinguish the two permutations when the difference between the mean 
values is larger than the standard deviation i.e. when Jkr > ^, or m > 2". 
Remark: here m < 2” since If = 0 and If = 0; so the attack will succeed when 
to ~ 2 ”. 

As before this attack leads to a KPA attack with 2 2 " messages. But there is 
a better attack as we can see now. 


G\: 5 rounds, KPA with m = 2 s ? messages 

For this attack, let M be the number of pairs (i, j), i < j, such that If ® If = 
Sj ® Sj. For a random permutation, we have: 


Kerm * 


2 - 2 " + ° ( ^ } 


where -7= is the standard deviation, while for Go we obtain 

V 2 n ° 

m 2 m 2 
- 2-2 n + 2 • 2 2 ™ ' 


We can distinguish the two permutations when the difference between the 
mean values is larger than the standard deviation i.e. when Jkr > -^=, i.e. for 
m > 23". 


4.4 Attacks on 6 Rounds: G® 

For 6 rounds, the internal variables are X 1 , X 2 and X 3 = I 3 ® f 3 ([X\X 2 ]). We 
have the following conditions: 

I / 2 = Ij and If = Ij => X} ® Xj = I j ® ij 
If = Ij and Xj = Xj => Xf ® Xj = If ® Ij 
Xj = Xj and Xf = Xj ^ Xf ® Xj = If ® Ij 
Xf = Xj and Xf = Xj => S } ® Sj = Xf © Xj 
Xf = Xj and Sj = Sj =► Sf © Sj = Xf © Xj 
Sj = Sj and Sf = Sj => Sf © Sj = Xf © Xj 

The attack proceeds as follows: we choose to messages such that Vi, If = 0. Let 
Af be the number of pairs (i, j), i < j, such that If = Ij and Ij © Ij = Sj © Sj. 
With a random permutation, we have: 
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where 0(%k) is the standard deviation. For a G®, since all the If values are 
equal, If = I 2 and Xf = Xf and Xf = Xf imply If © ij = Sj 0 Sj. We get 

m 2 m 2 

We can distinguish the two permutations when the difference between the 
mean values is larger than the standard deviation i.e. when ^ i.e. for 

m > 2 2n . 

We can obviously transform this CPA-1 attack into a KPA attack which will 
succeed as soon as we have m > 2^\ 

4.5 Experimental Results on G| 

We have implemented our CPA-1 and KPA attacks against G® for small values 
of n (n = 6 and n = 8). Our experimental values confirm the theoretical results. 
Our experiments were performed as follows: 

- choose randomly an instance of G® 

- choose randomly a permutation: for this we use classical balanced Feistel 
scheme with a large number of rounds (more than 20) 

- launch the attack in CPA-1 with m = 2 2 ”, in KPA with m = 2 3 " (m = 2^ 
also works). 

- count the number of plaintext/ciphertext pairs satisfying the relations for 
the G® function and for the permutation 

- iterate this procedure a large number of times (here 1000 times) to evaluate 
the mean values and the standard deviations 

- compute the mean value and the standard deviation for both the G® function 
and the permutation 


Table 2. Experimental results for KPA and CPA attacks on G® 


Attack i 

1 M g 8 

Afperm 

N g 6 - Kerm 

2-2 4n 

a °3 

CTperm 

V2-2 TT 

KPA 1 

3 131006 

129011 

1995 

2048 

159 

372 

362.038 

KPA ! 

3 8388308 

8355787 

32521 

32768 

2862 

2833 

2896.309 

CPA 1 

3 2058 

2009 

49 

32 

45 

44 

45.254 

CPA l 

3 32781 

32601 

180 

128 

178 

185 

182.019 


Conclusion. Our experimental values for J\f G e — M verm are very close to the 
theoretical expected values in KPA and in CPA-1). Similarly, our 

experimental values for e perm are very close to the theoretical expected values 
( — in KPA and Z", in CPA-1) . So these simulations confirm that we can 

V \/2-2— V2-2» 

distinguish G® from a random permutation with the complexity that we have 
given. 
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5 Generic Attacks When k > 4 and k < d < 2fc — 1 

5.1 Attacks for k Rounds 

We first describe a CPA-1 attack with two messages. All the blocks of these two 
messages are equal to zero except the first one. We test if Ij ® Ij = Sj © Sj. 
Since S 1 = X 1 = I 1 ® fi([I 2 , . . . I k ]), this will occur with probability 1 if / is 
a Gf, and with probability 2~ n if / is a random permutation. This gives the 
result. 

As usual, we transform this attack into a KPA attack with m = 0(2 ( 2 > J. 
In that case with a high probability If = if, if = if, .... if = if. We test again 
if Sj 0 Sj = 1} ® Ij. 


5.2 Attacks for k + t Rounds, with 1 < t < k — 1 

In the CPA-1 attack, we choose Vi, lj +2 = ... = if = 0 and pairwise distinct 
[if, . . . If], This choice limits the maximal number of plaintext/ciphertext tuples 
to to < 2 < ' t+v>n . We then count the number Af of pairs (i, j), i < j, such that 
/• " 1 © lf +1 = Sj ® Sj. For a random permutation, we have: 


Kerm 


m(m — 1) 
2 • 2 n 


O(^)- 


Here 0(^5-) denotes the standard deviation. This can be easily proved using the 
Covariance Formula, see Appendix A or full version of this article [13]. 

For an unbalanced Feistel scheme, the preceding condition appears at random, 
but we also have the following property: 

Xf = X ] , . . . , X\ = X j Sj = Il +1 © Ij +1 


since Sj = X t+1 = I t+1 © / t+ i([J t+2 , . . ,I k , X 1 , . . . , X*]). This gives 

v c ;+. = , so |E(A r o;+ .) _ EW „ ro )| «*■ . 

Here again for Af G d , the standard deviation can be computed by using the Co- 
variance Formula, as we have shown for G| (see full version of this article for the 
details [13]). Thus we distinguish when ^ i.e. when to > 2^~3) n , which 

is compatible with the bound given above. 

As usual, we are able transform this attack into a KPA attack which succeeds 
if to > 2( tt s =1 K 


5.3 Attacks for 2k — 1 Rounds 

In that case we can only mount a KPA attack. We consider the following KPA 
attack: let Af be the number of pairs (i,j)„ i < j, such that if © If = Sj © Sj. 
For a random permutation, we have Af per m — + 0(-^=) and for an 
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unbalanced Feistel scheme, A/" G 2 fe-i ~ TO ^ n ^ > since I k ®I k = Sj®Sj 

is also implied by the following equations: X\ = Xj,Xf = X?, ■ ■ ■ , X k ~ l = 
X j- 1 . This is because S 1 = X k = I k © f 2 k-i([X 1 , . . . ,X k ~ 1 ]). Thus we can 
distinguish when 2 2 ^_ 1 ) n > -J=. This gives m > 2^ k ~^ n . 

We can remark that for more than 2k rounds we will have to proceed with 
different attacks, since X} = Xj , . . . , X k = X k implies i = j because we have a 
permutation. 

6 Attacks with More Than 2 kn Computations 

Until now we have studied Unbalanced Feistel schemes with random functions. 
In practice, for example in designing block ciphers we need to consider gener- 
ators of pseudo-random permutations. In this section, we will describe attacks 
against a generator of permutations (and not only against a single permuta- 
tion randomly generated by a generator of permutations), i.e. we will be able to 
study several permutations generated by the generator. This allows more than 
2 kn computations. 

Let G be a “Gf generator”, i.e. from a binary string K, G generates a d 
round unbalanced Feistel permutation Gf. Let G' be a truly random permutation 
generator, i.e. from a string K, G' generates a truly random permutation G' K of 
B kn - Let G" be a truly random even permutation generator, i.e. from a string 
K, G" generates a truly random permutation G" K of A kn , with A kn being the 
group of all the permutations of {0, l} kn — » {0, l} kn with even signature. We 
are looking for attacks that distinguish G from G', and also for attacks that will 
distinguish G from G" . 

Adversarial model: An attacker can choose some strings K i, . . . Kf, can ask for 
some inputs [I 1 , . . . , I k ] , and can ask for some Gk c , [I 1 ,. , I k ] (with K a being 

one of the Ki). Here the attack is more general than in the previous sections, 
since the attacker can have access to many different permutations generated by 
the same generator. 

Adversarial goal: The aim of the attacker is to distinguish G from G' (or from 
G") with a high probability and with a complexity as small as possible. 

6.1 Brute Force Attacks 

A possible attack is an exhaustive search for the d round functions /i , . . . , f ( j 
from {0, l}( fe-1 ) n to {0, l} n that have been used in the unbalanced Feistel con- 
struction. This attack always exists, but since we have 2 d " n ' 2< ' k 1)n possibilities 
for this attack requires about 2 d ' n ' 2<k 1)n computations and about 

| . 2( k ~ 1 ) n random queries but only for one permutation of the generator. This 
attacks means that an adversary with infinite computing power will be able to 
distinguish Gf from a random permutation (or from a truly random permutation 
with even signature) when m > ^ • 2^ k ~ 1 ' >n . 
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6.2 Attack by the Signature 

Theorem 1. Let be an unbalanced Feistel permutation on {0, 1}“ +/3 — > 
{0, l} a+/3 with round functions of {0, 1}^ — > {0, l} a . Then if a > 2 and (3 > 1, 
•F has an even signature. 

The proof of this theorem is quite similar to the proof in the case of a symmetric 
Feistel scheme [11,3]. However the fact that a > 2 changes a few things. Conse- 
quently a complete proof is included in the full version [13], available from the 
authors. 

Let / be a permutation from kn bits to kn bits. Then using 0{ 2 kn ) compu- 
tations on the 2 kn input /output values of /, we can compute the signature of /. 
To achieve this we just compute all the cycles c* of /, / = f] © and use the 
formula: 

signature^) = Y[(-l) length ^ +1 . 

The consequence is that it is possible to distinguish G a generator of Gf from 
a generator of truly random permutations from kn bits to kn bits after 0( 2 kn ) 
computations on 0(2 kn ) input/output values. 

Remark: To compute the signature of a permutation g we need however to know 
all the input/outputs of g (or all of them minus one, since the last one can be 
found from the others if g is a permutation). 

6.3 Attacks of GJ? Generators When d — 2k 

Let p be the number of permutations that we will use. After 2k rounds, the 
output is given by [S 1 , S 2 , . . . , S k ] = [X k+1 , X k + 2 , . . . ,X 2k ] where we have 
X k+1 = X 1 © f k +i([X 2 , ■ • • ,X k ]). Remember that X 1 = I 1 © /i([/ 2 , . . . ,/ fe ]). 
Let us describe the KPA attack which concentrates on S 1 = X k+l . Let AT be 
the number of pairs i < j, such that 

if = /?,..., I k = I k , X k+1 © X k+1 =lf® I ) . (1) 

There we have necessary If / Ij and Xf / Xj. When we are testing random 
permutations, Af perm ~ p ■ 2 ™ kn + 0(^fp ■ - 55 -). For G k , since If = If ,I k = 
I k , Xf = Xf, , Xf = Xf imply (1) we have: 

m 2 m 2 

M Gi=T-J^ + p- 2 ^ 2k _ 2)n . 

Thus we can distinguish the two generators when: p ■ 2 ( 2 ™_ 2 ) n > ^Jp ■ -ffr. or 
when p-m> 2^ k ~^ n . When to = 2 kn , we find p = 2( fc “ 4 )" and p-m = 2( 2fc “ 4 K 
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6.4 Attacks G d Generators for d Rounds with d > 2k 

It is possible to generalize the attack given above for any d > 2k. We give here 
only the main ideas. We concentrate the attack on x d ~ k+1 . In the constraints, 
there are d conditions and d — k internal variables X 1 . We choose conditions 
number k, 2k, ... , until we get £ = [|J conditions. This gives £ (internal or 
external) •( k — l)-multiple equations. When they are satisfied, we have: 

1 . One equation between the input and output variables. 

2. p equations between the output variables where 

p= (k— 1) — ^d — |^J kj = (k — 1) — (dmod k) 


We have p, permutations and the attack proceeds as follows: let N be the number 
of pairs i < j, such that these ip + 1 equations are satisfied. When we are 
testing a permutation generator, we have 


m(m — 1) 




With a G d , the £(fe — l)-multiples equations imply the ip + 1 equations described 
above. This shows that 


•Msg — M • 


m(m — 1) 
2 • 2 (^+ 1 )" 


+ M ' 


m(m — 1) 
2 • 2( fr ')" 


We get the condition: 


pi-m 2 > 2 ( 2 ( fc - 1 )«-¥’- 1 )«. 

For the maximal value m = 2 kn , we find /i = 2^ k ~ 1 ^~' f> ~ 2k ~ 1 '> n and the com- 
plexity is A = p ■ to = 2( 2 ( fc-1 )£ - ¥’ fc-1 ) n . Thus we can write 

X - 2 (2(fc-l)LfJ+Omodfc)-2/c)n _ 2 (d+(fc-2) -2k)n_ 


7 Conclusion 

Until now, attacks and proofs of security on contracting unbalanced Feistel 
Schemes have not received much attention. There are much more papers on clas- 
sical Feistel schemes and even attacks on expanding unbalanced Feistel schemes 
have been more studied than attacks on contracting unbalanced Feistel schemes. 
This may be not justified since contracting Feistel schemes seem to have very 
good security properties. For example, to avoid all known generic attacks with 
the number of messages less than 2 kn (where kn is the number of bits of the 
input and the output) with these schemes, we need only 2k rounds (if k > 4) 
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Table 3. Results on Gf. For more than 7 rounds more that one permutation is needed 
or more than 2 3n computations are needed in the best known attacks to distinguish 
from a random permutation with an even signature. 



KPA 

CPA-1 “ 

Gl 

1 

1 

Gl 

1 

1 

G| 

2" 

2 

Gf 

2” 

2 n /2 

Gl 

2 3n/2 

2 n 

Gf 

2 5n/2 

2 2 " 

Gl 

2 An 

2“ 

Gl 

2 4n 

2 4n 

Gf 

2 6u 

2 6 " 

Gl° 

2 7n 

2 7 " 

Gl 1 

2 Sn 

2 8 " 

Gf 

2 10 n 

2 10 n 

Gf , d> 12 

2 (d+L|j- 6 ) 

2 G+LU- 6 ) 


“ Here we do not show CPA-2, CPCA-1 and CPCA-2 since for Gf, no better attacks 
are found compared with CPA-1. 


Table 4. Results on Gf. for any k > 4. For more than 2k rounds more that one 
permutation is needed or more than 2^ 2k ~'^ n computations are needed in the best 
known attacks to distinguish from a random permutation with an even signature. 



KPA 

CPA-1“ 

Gf, 1 <d<k-l 

1 

1 

Gfc 

2^ 

2 

G k k + 1 

2 ^ 

2t 

G k+2 

2% n 

2§ n 

G k+3 

2<-^ n 

2 fn 

G k+i , 1 <i<k 



Gf 

2 (2fc-4)n 

2 (2fc-4)n 

Gfc, d>2k 

2 (d+(fc-2)Lfj-2fc)n 

2 (d+(fc-2)Lfj-2fc)n 


a Here we do not show CPA-2, CPCA-1 and CPCA-2 since for Gf , no better attacks 
are found compared with CPA-1. 


or 7 rounds (if k = 3). So each bit will be changed only 2 times (if k > 4) un- 
like with balanced Feistel schemes where 3 changes (i.e. 6 rounds) are necessary 
and unlike expanding unbalanced Feistel schemes where much more changes are 
needed [4,11,14]. 

Storing a random function of ( k — l)n bits to n bits requires a large mem- 
ory and this may be a practical disadvantage of Gf compared with balanced 
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Feistel schemes or Feistel schemes with expanding functions. However if a func- 
tion generator is used to generate pseudo-random functions, this may not be a 
problem. 

There are still many open problems on contracting unbalanced Feistel schemes. 
Naor and Reingold have shown a very nice security result [9]: we have security un- 
til the birthday bound when we use pairwise independent functions for the first 
and the last rounds. However, if we do not use such first and last rounds, the ex- 
act security is still an open problem and even the birthday security bound is not 
proved yet. 

In conclusion, contracting unbalanced Feistel schemes seem to be one of the 
best designs for permutation generators. In this paper, we have presented attacks 
on these schemes with fewer than 2 k rounds. 
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A Computation of the Variance for Random 
Permutations 


In this section, we compute the value of the variance when we are testing a 
random permutation and we want to distinguish it from a G k+t , 1 < t < k — 1 . 
The input is [Z 1 , . . . , I k ] and the output is [S' 1 , . . . , I K ] . We want to compute 
Nperrn which is the number of i < j satisfying the relation /* +1 © S 1 = 

if 1 © Sj. We have the condition Vi, if 2 = if 1 = . . . = I k = 0. This implies 
that m < 2(‘ +1 K We introduce the following random variables: 

f Stj = 1 if ' 1 © Sj = if 1 © S) 
l $i,j — 0 otherwise 

Then Af perm = Z iKj k,j and E{5 id ) = Pr /eRSfcn [/f 1 © Sj = if 1 © Sj]. 

Notice that if to 2”, we may assume that the I t+1 values are pairwise 
distinct (or are all equal) and if to > 2”, we may assume that each element 
of (0, 1}" is reached by about ffk values of if 1 (in CPA-1, we can choose to 
to be a multiple of 2" and each element of {0, 1}" is reached by exactly 
values of if 1 . It is also possible to choose that if 1 are random values). If 
Ij +1 = if \ P(Af) = Pr feRBkn [Sl = Sj] = *££=1 ~ jL and if if 1 ? lj +1 , 
E{6i,j) = 2 2 kn -i — • This gives us the average value: 


E{M pe , 


m(m — 1) 


2 - 2 " ' y 2 ( k +^ n ' 

We now compute the variance V(5 ltJ ) = E(5 2 j) — E(6i d ) 2 = E(5i d ) — E(5i d ) 2 . 
If if 1 =t if 1 , V(8 %J ) = ± ^ • irV - 2 ^t) 2 - And if 

J‘ +1 + if 1 , V(S id ) = £ ■ ^ - (A, • Tr V) 2 . Finally V(5y) * £(1 - ^) 


i<j 

We recall the formula: 


j m(m - 1) J_ _ J_ 
2 ’ 2 n ^ 2 n 
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The second term is the covariance term. We will see that 


V(A fperm 


m(m- 1) 
2 • 2 n 


where the two first terms correspond to the sum of the variance of 5ij, the third 
term corresponds to the covariance of four distinct indexes (i,j, k, l), and the last 
term corresponds to the covariance of 4-tuples of indexes with one in common, 
like for example ( i,j,i,l ). Therefore, for m larger than 2” but smaller than 2 kn , 
we have as claimed 


V{M perm ) 


m(m — 1) ( m 2 \ m 2 

2 • 2 n \2 n ) ~ 2 ■ 2 n ' 


In order to exactly compute the covariance term, we can separate the com- 
putation into several cases. Here we only study the main case, i.e. we sup- 
pose that i,j,p,l are pairwise distinct and that 7* +1 ± 7- +1 , Ij +1 ^ lj +1 and 
lj +1 ® Ij +1 © Ip +1 ® lj +1 ^ 0. For all other cases, computation is similar and is 
included in the full version of this paper [13]. 

To compute this probability we need to count the total number A of possi- 
bilities for the outputs [Sj, — , Sf], [£],..., S’*], [S] , . . . , Sj] and [Sj , ... , S*]. 
Since we are using a permutation, we have A = 2 kn - (2 kn — 1) • (2 kn — 2) • (2 kn — 3). 

We also have to compute B the number of outputs [Sj,..., Sj], [S'], ... , Sj], 
[Sj,. . Sj ] and [Sj, , Sf] satisfying the above relations in the case we con- 
sider. For [S], . . . , Sj], there are 2 kn possibilities. When this output is fixed, 
Sj = Sj® 7* +1 © Ij +1 . Thus there are 2( fc “ 1 )" possibilities for [Sj , . . . , Sj]. Now 
we have to fix [Sj, . . . , Sj] and [Sj, . . . , Sj]. There are 5 cases that we are going 
to study now. If Sj = Sj © Ij +1 © lj +1 , then Sj ^ Sj, Sj ^ Sf and Sj = Sj. 
Thus we have 2^ _1 ^ n • (2( fc_1 ) n — 1) possibilities for [Sj , . . . , S'*] and [Sj , . . . , Sj]. 
Then we consider the case where Sj = Sj © Ij +1 © lf +1 . This case is different 
from the previous one since Sj ^ Sj. We get again 2^ k ~ 1 ' >n ■ [2^ k ~ 1 ' >n — 1) pos- 
sibilities for [Sj , . . . , S*] and [Sj , ... , Sj]. If Sj = Sj or if Sj = Sj, there are 
(2 {k-i)n _ -g . 2 (fc-i)« possibilities for [Sj, . . . , S*] and [Sj, ... , S*]. The last case 
is when we have eliminated the previous cases. This gives (2 n -4)-2^ k ~ 1 ^ n -2^ k ~ 1 ^ n 
possibilities for [Sj , . . . , S*] and [Sj , . . . , S*]. Finally B = 2 ( - ik ~ T > n ■ (1 — ^r). 
Consequently, since E(S,j S Pt i) = we get: 

m,J Sp, f ) - E(Si^S(5 Ptt ) = ^(~^ + 

Finally these terms of covariance are equal to 4 ^%™ 2lin < O ^ 22n .j( 2 k-ijn J as 
claimed. 
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Abstract. IDEA is a 64-bit block cipher with 128-bit keys introduced 
by Lai and Massey in 1991. IDEA is one of the most widely used block 
ciphers, due to its inclusion in several cryptographic packages, such as 
PGP and SSH. The cryptographic strength of IDEA relies on a com- 
bination of three incompatible group operations - XOR, addition and 
modular multiplication. Since its introduction in 1991, IDEA has with- 
stood extensive cryptanalytic effort, but no attack was found on the full 
variant of the cipher. 

In this paper we present the first known non-trivial relation that in- 
volves all the three operations of IDEA. Using this relation and other 
techniques, we devise a linear attack on 5-round IDEA that uses 2 19 
known plaintexts and has a time complexity of 2 103 encryptions. By 
transforming the relation into a related-key one, a similar attack on 7.5- 
round IDEA can be applied with data complexity of 2 43 ' 5 known plain- 
texts and a time complexity equivalent to 2 115 1 encryptions. Both of the 
attacks are by far the best known attacks on IDEA 


1 Introduction 

The International Data Encryption Algorithm (IDEA) is a 64-bit, 8.5-round 
block cipher with 128-bit keys proposed by Lai and Massey in 1991 [20]. Due to 
its inclusion in several cryptographic packages, such as PGP and SSH, IDEA is 
one of the most widely used block ciphers. Since its introduction, IDEA resisted 
intensive cryptanalytic efforts [1, 5, 6, 8, 9, 10, 11, 12, 13, 14, 16, 21, 22, 24]. 
The best published chosen-plaintext attack on IDEA is an attack on 5-round 
IDEA that requires 2 24 chosen plaintexts, and has time complexity of 2 126 en- 
cryptions [12]. The best published related-key attack is an attack on 6.5-round 
IDEA that requires 2 57 ' 8 chosen plaintexts encrypted under four related keys and 
has time complexity of 2 88 - 1 encryptions [5]. Along with the attacks on reduced- 
round variants, several weak-key classes for the entire IDEA were found. The 
largest weak key class (identified by a boomerang technique) contains 2 64 keys, 

* This work was supported in part by the Israel MOD Research and Technology Unit. 
** The research presented in this paper was supported by the Adams fellowship. 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 412-427, 2006. 
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and the membership test requires 2 16 adaptive chosen plaintexts and ciphertexts 
and has a time complexity of 2 16 encryptions [6]. 

The cryptographic strength of IDEA relies on the combination of three in- 
compatible group operations: bitwise XOR, modular addition in Z 2 i<>, and mod- 
ular multiplication in GF( 2 16 + 1) where 0 is replaced by 2 16 . All the three 
operations are essential for the security of the cipher. Indeed, if the multi- 
plication is removed, then the cipher can be broken easily by examining the 
least significant bits of the words during the encryption. If the XOR is re- 
moved, then the cipher is affine over addition in Z 2 ie, and hence, is easily 
breakable using only few known plaintexts. In [7, 26] it is shown that if the 
addition is removed then the cipher can be easily broken using multiplicative 
differentials. 

In this paper we present the first known non-trivial relation that involves all 
the three different operations of IDEA. More precisely, we show that for the 
MA transformation of IDEA, that is composed of additions and multiplications, 
there exists an XOR differential with a non-trivial probability. 

We use our new relation to devise several new attacks on IDEA based on 
various attack techniques: First, we devise linear-type attacks on reduced-round 
variants of IDEA that are similar to the attacks presented in [12, 16, 24]. The 
attacks are based on constructing linear approximations with bias 1/2 that re- 
lates the least significant bits of some words during the encryption process. We 
use our relation, along with differential techniques and partial key guessing, to 
improve the basic technique presented in [16, 24] and to establish the best known 
attack on 5-round IDEA. Our attack requires only 2 19 known plaintexts and the 
time complexity is equivalent to 2 103 encryptions. Both the data and the time 
complexities are smaller than the respective complexities of all the previously 
known attacks on 4.5 or 5 rounds of IDEA. Our attack also has a relatively small 
memory complexity, unlike the 5-round attack in [12]. We also devise realistic 
attacks on variants of IDEA with a small number of rounds: A distinguishing 
attack on 2.5-round IDEA requiring 2 18 chosen plaintexts and time complexity 
of 2 18 encryptions, and an attack on 3-round IDEA with data complexity of 2 19 
chosen plaintexts and time complexity of about 2 48 5 encryptions. Both of the 
attacks are better in some of the parameters than all the known attacks on the 
respective variants of IDEA. 

We also show how to use the same relation in the related-key model. Using 
two related keys, we are able to extend the linear property by 2.5 rounds. This 
gives rise to a 7.5-round attack on IDEA requiring 2 43 5 known plaintexts and a 
time complexity of 2 115 - 1 encryptions. It is also possible to use our new relation 
to improve the previously best known related-key attack on IDEA, using the 
related-key rectangle technique. These improvements can be used to construct 
a 7-round related-key rectangle attack on IDEA with data complexity of 2 65 
related-key chosen plaintexts and time complexity of 2 104 - 2 7-round IDEA en- 
cryptions. The complexities of the new attacks, along with selected previously 
known attacks, are summarized in Table 1. 
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Table 1. Selected Known Attacks on IDEA and Our New Results 


Rounds 

Attack 

Complexity 

# of Affected 

Source 


Type 

Data 

Time 

Keys 


2 

Differential 

2 ItJ CP 

2 4i 

all 

[21] 

2.5 

Differential 

2 10 CP 

2 106 

all 

[21] 

3 

Differential-Linear 

2 29 CP 

2 44 

all 

[8] 

3.5 

Linear 

103 KP/CP 

2 97 

all 

[16] 

3.5 

Square 

2 22 cp 

2 66 

all 

[16] 

4 

Imppossible Differential 

2 37 CP 

2 70 

all 

[1] 

4 

Linear 

114 KP 

2 114 

all 

[24] 

4 

Square 

2 23 CP 

2 98 

all 

[16] 

4.5 

Impossible Differential 

2 64 CP 

2 112 

all 

[1] 

5 

Meet-in-the-Middle Attack 

2 24 CP 

2 126 

all 

[12] 

6.5 

Related-Key Rectangle 

2 59.S RK _ C p 

2 88.1 

all 

[5] 

2.5 t 

Linear 

2 1S CP 

2 1S 

all 

Section 4.1 

3 

Linear 

2 19 CP 

2 48.5 

all 

Section 4.2 

4.5 

Linear 

16 CP 

2 103 

all 

Section 4.3 

5 

Linear 

2 19 KP 

2 103 

all 

Section 4.3 

7.5 

Related-Key Linear 

2 43 5 RK-KP 2 11B1 

all 

Section 5 

7 

Related-Key Rectangle 

2 65 RK-CP 

2 104.2 

all 

Appendix A 


KP - Known plaintext, CP - Chosen plaintext, RK - Related key, 
Time complexity is measured in encryption units, 
t - Distinguishing attack. 


We expect that the new relation can also be used to improve other attacks on 
IDEA, as well as attacks on other block ciphers that use the same operations, 
e.g., the MESH family of block ciphers [23]. 

The paper is organized as follows: In Section 2, we briefly describe the struc- 
ture of IDEA. In Section 3 we present the new relation between the operations 
of IDEA. In Section 4 we present the new attack on 5-round IDEA. In Sec- 
tion 5 we transform this attack into a 7.5-round related- key attack on IDEA. 
Appendix A suggests a related-key rectangle attack on 7-round IDEA. Finally, 
Section 6 summarizes the paper. 

2 Description of IDEA and the Notations Used in the 
Paper 

IDEA [20] is a 64-bit, 8.5-round block cipher with 128-bit keys. It uses a com- 
position of XOR operations, additions modulo 2 16 , and multiplications over 
GF( 2 16 + 1). 

Every round of IDEA is composed of two layers. The round input of round i 
is composed of four 16-bit words denoted by (X[, X^,X\, W|). In the first layer, 
denoted by KA, the first and the fourth words are multiplied by subkey words 
(mod 2 16 + 1) where 0 is replaced by 2 16 , and the second and the third words 
are added to subkey words in (mod 2 16 ). The intermediate values after this 
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x;x ' 2 x ; x ; 



Fig. 1. One Round of IDEA 


half-round are denoted by (YJ .Y^Y^.Yl). Formally, let Z\ , Z\ , Z\ , and Z\ be 
the four subkey words, then 

Y{ = zi®x{- Yi^zlmxk Yi = z i 3 mx i 3 -, Yi = z\&xl 

Then, ( p l ,q z ) = (F/ Q E/ , Yj © Y 4 ‘) enters the second layer, a structure composed 
of multiplications and additions denoted by MA. We denote the two output 
words of the MA transformation by ( u l ,t *). Denoting the subkey words that 
enter the MA function by Z\ and Z 3 , 


u l = ( p i © Zl) ffl f ; t = {q i ffl ( p i © Z\)) © Zl 


Another notation we use in the attack refers to an intermediate value in the MA 
layer: we denote the value p l © Z\ by s l . 

The output of the i-th round is (17 © t % , F 3 * © t‘, Y£ © u l , Yl © u*). In the last 
round (round 9) the MA layer is removed. Thus, the ciphertext is (17 9 ||l2 9 ||^3 9 || 
y 4 9 ). The structure of a single round of IDEA is shown in Figure 1. 

IDEA’S key schedule is linear: each subkey is composed of bits selected from 
the key. However, the exact structure of the key schedule is crucial for our attacks 
and hence the entire key schedule is described in Table 2. 
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Table 2. The Key Schedule Algorithm of IDEA 
Round Z\ Z\ Z\ Z\ Z\ Z\ 

~i i cPl5 irnn 3iT7f 48~63 64~79 so -95 

i 2 96-111 112-127 25-40 41-56 57-72 73-88 

i - 3 89-104 105-120 121-8 9-24 50-65 66-81 

I = 4 82-97 98-113 114-1 2-17 18-33 34-49 

i = 5 75-90 91-106 107-122 123-10 11-26 27-42 

| = 6 43-58 59-74 100-115 116-3 4-19 20-35 

, i = 7 36-51 52-67 68-83 84-99 125-12 13-28 

f-m 8 29-44 45-60 61-76 77-92 93-108 109-124 

i — 9 22-37 38-53 54-69 70-85 


3 A New Non-trivial Relation Between the Three 
Operations of IDEA 

In this section we present the new non-trivial relation between the three different 
operations of IDEA. The relation we present is a property of the MA layer. Since 
the property is independent of the round number, in this section we omit the 
round index in all the notations. The property is related to the XOR difference 
between the values in two encryptions. We denote the difference in the word X 
by AX. 

Observation 1. Assume that the XOR difference between the two intermediate 
encryption values in the input to the MA layer is of the form (Ap, Aq) = (0, a ) 
for some a. Assume also that there is no key difference in the key word Z& (but 
there is no assumption whether there is a key difference in the subkey word Zq). 
Then: 

1. The least significant bit of the value Au ® At equals zero. 

2. The average probability of the event ( Au,At ) = (8000^,8000^,) over all the 

possible keys is 2 -16 (if 0 or if there is a key difference in Zq). 

3. If a is non-zero or if there is a difference in Z 6 , then E v T Pr 2 [(Z\«, At) = 

(v, r)] = 2 -23 ' 72 . 

We note that the first part of the observation is similar to observations that were 
used in [12, 16, 24], 

If the MA layer was truly random, then the probability of the event (Au, At) = 
(8000a,, 8000 x ) would be 2 -32 . Hence, we have a differential with a much higher 
probability than expected. 

The third part of the observation gives a much higher value than the corre- 
sponding value for a random function (which is 2 -32 ). The value discussed in 
the third part of the observation affects boomerang and rectangle attacks. 

We shall now provide the proof of the observation: The proof uses the additive 
difference (module 2 16 ) between the two inputs, which we denote by SX. As 
there is no XOR difference in the first input word to the MA function (Ap = 0), 
then there is no additive difference as well, i.e., dp = 0. As there is no additive 
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difference in the subkey Z5, then As = Ss = 0 as well. As u = t EH s then 
Su = St EE Ss = St. We use this relation in the proof: 

1. LSB(Au) = LSB(Su) = LSB(6t) = LSB(At), where LSB(w) denotes the 
least significant bit of the word w. Thus, LSB(Au ® At) = LSB(Au) ® 
LSB(At) = 0. 

2. Since no assumption on a or the subkey difference in Zq was used (aside 
the fact that there is such a difference), we can assume that the value St 
is randomly distributed. Hence, with probability 2“ 16 the difference is St = 
8000*. In this case, Su = 8000* as well. However, St = 8000* is equivalent to 
At = 8000*. Thus, the probability of the event (Au, At) = (8000*, 8000*) is 
indeed 2 -16 , as asserted. 

3. We can write 

Z v>r Pr 2 [(Aw, At) = (u,t)} = Z V , T (Z s Pr[(Au, At) = \v,r) A (St = <5)]) 2 = 
2- 32 • Z v , r (Z s Pv[(Au,At) = (i/,r ))| (St = <5)]) 2 

where the last equality follows from the assumption that Pr[5t = 5] = 2 -16 
for every S. We calculated the last value explicitly by a computer program 
and got the value I7g i7 Pr 2 [(ZW, At) = (/3, 7)] = 2 -23 - 72 , as asserted. 

Q.E.D. 

4 A New Attack on 5-Round IDEA 

In this section we present new attacks on 2.5-round, 3-round and 5-round IDEA 
based on the first relation established in Section 3. 

We start with an observation due to Biryukov (according to [24]) and Demirci 
[12]. Let us examine the second and the third words in all the intermediate stages 
of the encryption. There is a relation between the values of these words and the 
outputs of the MA layer in the intermediate rounds that uses only XOR and 
modular addition, but not multiplication. Let P = (Pi, P 2 , P3, P4) be a plaintext 
and let C = (C'i , C' 2 , C3, C 4 ) be its corresponding ciphertext, then 

((((((((((((((((CP2 ffl Z{) ® u 1 )® Z$) ® t 2 )ffl Z$) © u 3 ) EE Zf ) © t 4 ) ffl Zl) © u 5 ) 
fflZf) © t 6 ) ffl Zl) © u 7 ) ffl Zf) © t 8 ) ffl Z\) = C 2 . 

(1) 

Similarly, 

((((((((((((((((OPs ffl Zl) © t 1 ) ffl Zl) © u 2 ) ffl Zl) © t 3 ) ffl Z 4 ) © u 4 ) ffl Zl) © t 5 ) 
fflZf) © u 6 ) ffl Z|) © t 7 ) ffl Zl) © u 8 ) ffl Zl) = C 3 . 

(2) 

Now, if we are interested only in the value of the least significant bit (LSB) 
of the words, modular addition is equivalent to XOR and we can simplify the 
above equations into: 

LSB(P 2 © Z\ © u 1 © Zl © t 2 © Zl © u 3 © Zf © i 4 © Zl © u 5 © Z% © f 6 © Z\ 
®u 7 © Zf © t 8 © Zl) = LSB(C 2 ), 

(3) 

and 
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LSB(P 3 © Z\ © t 1 © Z% © u 2 © Z% © i 3 © Z? © u 4 © Z\ © t 5 © Z% © u 6 © Z\ 
©t 7 © Z§ © u 8 © Z%) = LSB(C 3 ) . 

(4) 

Since u l = PESs* then LSB(u l ) = LSB(t l Ss l ), thus, LSB(u l ®t l ) = LSB(s l ). 
Taking this into consideration and XORing the two above equations we obtain 

LSB(P 2 © P 3 © Z% © Z? © © Z% © Zq © s 2 © Z 2 © Zg © s 3 © Z 2 © Zg © 

©Z| © Z\ © s 5 © Z% © Z% © s 6 © Z\ © Z\ © s 7 © Z\ © Z\ © s 8 © Z\ © Z\) 

= LSB(C 2 ®C 3 ). 

(5) 

This equation is called in [16] “the Biryukov-Demirci relation” . 

Consider two plaintexts P 1 and P 2 . Denote the XOR difference between the 
encryptions of P 1 and P 2 (under the same secret key) in an intermediate value 
X by AX. Then, the XOR the equations given by P 1 and P 2 gives 

LSB(P% © P 3 1 © P| © Pf © As 1 © As 2 © /is 3 © As 4 © As 5 © Zls 6 © /is 7 ©? ' 
Zis 8 ) = LSB{Cl © C3 1 © Cf © Cf). 

(6) 

Equation (6) is the basic equation used in all our attacks in this section. 

4.1 A Distinguishing Attack on 2.5-Round IDEA 

Consider a 2.5-round variant of IDEA of the form KA 0 MA 0 KA 0 M A o K A. 
For sake of simplicity we assume that the attack is on the first 2.5 rounds of 
IDEA, but the same attack holds for any 2.5 consecutive rounds of this form. 
For a 2.5-round IDEA, Equation (6) is reduced to 

LSB(Pi © P3 1 © P 2 2 © P 3 2 © As 1 © As 2 ) = LSB{Cl © C 3 X © C\ © C 3 2 ). (7) 

Note that by the first part of the observation in Section 3, if the input XOR 
difference to the MA layer is of the form ( Ap,Aq ) = (0 , q) then As = 0. In 
order to use this property, we consider pairs of plaintexts (P 1 , P 2 ) such that 
A(Xj,X 2 ,X\,X\) = (0, /?, 0,7) for arbitrary values of 3 and 7. For these pairs 
AY? = AY? = 0 (independent of the values Z \ , Z \ ) , and hence Ap 1 = 0. 
Therefore, the required property holds and As 1 = 0. We note that the same 
idea was used (to some extent) in [16] . 

Similarly, if we take only ciphertext pairs satisfying A ( Y? . Y? , Y? . Y ? ) = 
(0, 0, (3' 1 1') for arbitrary values of 3' an d Y, then (Ap 2 , Aq 2 ) = (0, a') for some 
a', and hence As 2 = 0. 

If the plaintext/ciphertext pair ((P 1 , C 1 ), (P 2 , C 2 )) satisfies both differential 
relations required above, Equation (7) is further reduced into 

LSB(P 2 1 © P3 1 © P 2 2 © P 3 2 ) = LSB(Cl © C3 1 © C 2 2 © Cl ) . (8) 

This is a simple linear relation that can be checked easily since only bits of the 
plaintexts and the ciphertexts are involved in the equation. 

Based on these observations, we can mount a simple distinguishing attack on 
2.5-round IDEA, using the following algorithm: 
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1. Ask for the encryption of 2 18 plaintexts of the form (A, Z, B, W ) , where A 
and B are fixed and Z and W assume arbitrary random values. 

2. Insert the ciphertexts into a hash table sorted by the first two words. 

3. For every pair of ciphertexts in the same bin of the hash table, check whether 
Equation (8) holds for the corresponding plaintext/ciphertext pair. 

4. If there is a pair for which the equation does not hold, conclude that the 
cipher is not 2.5-round IDEA. If there is no such pair, conclude that the 
cipher is 2.5-round IDEA. 

Due to the structure of the plaintexts, for every pair of plaintexts the first 
differential requirement holds. For every pair of ciphertexts in the same bin of 
the hash table, the second requirement also holds. Hence, for all the checked 
pairs Equation (8) should be satisfied for 2.5-round IDEA. 

The 2 18 plaintexts can be combined into about 2 35 possible pairs, and a 
fraction of 2 -32 of them is expected to have ciphertext difference of the form 
(0, 0, //,'■/). Hence, the expected number of pairs analyzed in Step 3 is eight. If 
there is a pair for which the equation does not hold, we know for sure that the 
cipher is not 2.5-round IDEA. On the other hand, for a random permutation, 
the probability that the equation holds for all the eight pairs is 1/256. Hence, 
the distinguisher succeeds with probability greater than 99.5%. 

Since the second and the third steps of the attack are implemented using a 
hash table, the time complexity of the attack is dominated by the time complex- 
ity of the encryptions in the first step of the attack. Hence, the data complexity 
of the attack is 2 18 chosen plaintexts and the time complexity is 2 18 encryptions. 

4.2 A Key Recovery Attack on 3-Round IDEA 

The 2.5-round distinguisher can be extended to an attack on 3-round IDEA of 
the form E = KA o M A o KAo MA o KAo M A by guessing the subkey of the 
last MA layer and applying the distinguishing attack to the first 2.5 rounds. In 
this case, the data complexity is slightly increased, since more pairs are required 
in the last step of the attack in order to discard all the wrong key values. 

The attack algorithm is the following: 

1. Ask for the encryption of 2 19 plaintexts of the form (A, Z, B, W ), where A 
and B are fixed and Z and W assume arbitrary random values. 

2. For every guess of the 32-bit subkey of the last MA layer: 

(a) Partially decrypt all the ciphertexts through the last M A layer and insert 
the resulting Y 3 values into a hash table sorted by the first 32 bits. 

(b) For every pair of values in the same bin of the hash table, check whether 
Equation (8) holds for the corresponding plaintext /ciphertext pair. 

(c) If there is a pair for which the equation does not hold, discard the subkey 
guess. Otherwise, keep the subkey guess. 

3. Output all the subkey guesses that were not discarded. 

Since there are 2 19 plaintexts, then there are about 2 37 possible pairs, and 
about 32 pairs are examined in Step 2(b). Hence, for a wrong key guess the 
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probability that the equation holds for all the pairs is 2 -32 . Therefore, only few 
possible key guesses remain, including the right key. The filtering can be further 
improved by enlarging the data structure by a small factor. 

The time complexity of the attack is dominated by Step 2(b) which contains 
decrypting all ciphertexts under all the subkey guesses. The data complexity 
of the attack is 2 19 chosen plaintexts and the time complexity of the attack is 
equivalent to 2 19 x 2 32 x (1/6) « 2 48 " 5 3-round encryptions. Note that the attack 
recovers only 32 bits of the master key and the rest of the key has to be found 
using other techniques. 

We note that a similar attack can be mounted on a 3-round variant of IDEA 
of the form E = MA oKAoMAoKAoMAoKA. The only difference is that 
in this case the attack is performed in the decryption direction. The time and 
data complexities remain unchanged. 

The two extensions can be combined to an attack on a 3.5-round variant of 
IDEA of the form E = MAo KAoMAo KAoMAo KAo MA. However, in this 
case the data and time complexities are worse than the complexities of the best 
known attack on 3.5-round IDEA. This follows from the fact that while in the 
3-round attacks we could guarantee that one of the differential conditions holds, 
in the 3.5-round attack this is not the case. 

4.3 Attack on 5-Round IDEA 

In this section we devise an attack on a 5-round variant of IDEA starting with 
the second half of round 3. Choosing round 3 as the starting point of the attack 
is the optimal round, as described later. 

First, we consider a 4.5-round attack starting at the beginning of round 4. 
For this variant, the Equation (6) is transformed into 

LSB(Pt®P£®P2®Pg®As 4 ®As 5 ®As 6 ®As 7 ) = LS'R(C 2 1 ©C^©C 2 2 ©C'f). (9) 

In our attack we use pairs of plaintexts with XOR difference A(X 4 ,X 2 , X£, 
Xf) = (0,/3, 0 , 7 ), thus, As A = 0. In order to calculate As 1 for 5 < i < 7, we 
guess part of the master key and partially decrypt the ciphertexts through the 
last three rounds. 

In order to calculate the required As 1 values, we guess the subkeys Z|,Z|,Z|, 
Zf,Zl,Zl,Zl,Zl,Z%,Zl,Z$,Z£ that allow to partially decrypt two rounds, and 
the sub keys Zf , Z\ . Z\ that allow to calculate the value As 5 . However, it appears 
that all these 15 subkeys use only 103 bits of the master key, whereas bits 
100-124 of the master key remain unused. Hence, we can guess 103 bits of the 
master key, and for each guess we can check whether the equation holds for 
the plaintext /ciphertext pairs. We note that finding the right subkey requires 
about 128 pairs for the analysis, which can be constructed from about 16 chosen 
plaintexts. We also note that starting the attack in a different round would 
require guessing more subkey bits. 

In order to extend the attack to 5 rounds, we guess the subkey of the MA 
layer in round 3. This does not increase the time complexity since the relevant 
subkey is composed of bits 50-81 of the master key that are included in the 103 
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bits we guess in the 4.5-round attack. However, this additional half round affects 
the data complexity of the attack. 

The only remaining issue is getting pairs of plaintexts with differenceA(Xf, 
X.j, X£,X 4 ) = (0, (5,0,7). Since for every guess of the M A layer of round 3 
different plaintext pairs are needed to fulfill this differential requirement, this 
attack uses known plaintexts instead of chosen plaintexts. We start with 2 19 
known plaintexts that compose 2 37 possible pairs. For each subkey guess of the 
MA layer of round 3, we partially encrypt all the plaintexts and choose the pairs 
that have difference A(Xf, X%, X $ , Xf) = (0, p, 0, 7). We expect 32 such pairs, 
and these pairs are used in the sequel of the attack. The time complexity of this 
step is negligible compared to the time complexities of the other steps of the 
attack. 

The attack algorithm is as follows: 

1. Ask for the encryption of 2 19 known plaintexts. 

2. For each guess of key bits 50-81, perform the following: 

(a) Partially encrypt the plaintexts through the MA layer of round 3 and 
insert the resulting X 4 values to a hash table indexed by the first and 
the third words. 

(b) For each guess of key bits 0-49,82-99/ and 125-127 and for all the 
colliding pairs, perform the following: 

i. Partially decrypt all the pairs through rounds 7 and 6, and the MA 
layer of round 5. 

ii. Verify that Equation (9) holds for all of the pairs. If no, discard the 
key guess. 

(c) If the key guess passed the filtering, perform exhaustive search on the 
remaining 25 key bits. 

As we mentioned before, for every guess of key bits 50-81, we expect that 32 
pairs are analyzed in Step 2(b) of the attack. Hence, the probability that a wrong 
key guess passes the filtering is 2 -32 . Thus, we expect that about 2 103 -2“ 32 = 2 71 
key guesses enter Step 2(c). Thus, the time complexity of Step 2(c) is expected 
to be equivalent to 2 25 • 2 71 = 2 96 encryptions in total. 

Therefore, the time complexity of the attack is dominated by the partial 
decryptions of Step 2(b). We observe that this step can be optimized. Note that 
half of the key guesses are discarded after the first pair, half of the remaining key 
guesses are discarded after the second pair, etc. Hence, instead of decrypting all 
the pairs at once, the attacker can decrypt the first pair and check whether the 
equation holds, then (if the key guess was not discarded) decrypt the second pair 
and check the equation for it, etc. Using this improvement, the time complexity 
of this step is 2 103 + 2 102 + 2 101 + . . . » 2 104 partial decryptions, which are roughly 
equivalent to 2 103 full encryptions. 

Hence, the data complexity of the attack is 2 19 known plaintexts and the time 
complexity is 2 103 encryptions. 

1 Note that key bits 50-81 are already guessed. 
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5 Related-Key Attack on 7.5-Round IDEA 

In this section we present a related- key attack on the first 7.5 rounds of IDEA. 
The 7.5-round related- key attack uses similar relations as the 5-round known 
plaintext attack. In the attack we use the difference between the keys to construct 
pairs of plaintexts for which the intermediate values (when encrypted under 
the two different keys) are equal for 2.5 rounds. For such pairs of plaintexts, 
Equation (6) is reduced to a much simpler one. 

Let the K and K* be two keys such that they are equal in all bits but bit 34 
and any non-empty subset of bits (41, 42, . . . , 49}. Let P and P* be the two 
plaintexts, such that Y 2 and Y 2 *, the corresponding intermediate encryption 
values after the K A layer of round 2, satisfy: 

y? = y?- Y 2 = Y 2 *- y 2 = y. ?■ Y 2 = Y 2 * (10) 

In such pair, the intermediate encryption values are equal until the MA layer of 
round 4. In that MA layer, the input difference is (Ap 4 , Ag 4 ) = (0,0) and the 
key difference affects only . Hence, by the observation presented in Section 3, 
As 2 = As 3 = As 4 = 0. 

Therefore, for such pair Equation (6) is reduced to 
LSB(P 2 ®P 3 ®P^®P^®As 1 ®As 5 ®As 6 ®As 7 ) = LSB(C 2 ®C 3 ®C 2 ®Cl). (11) 

Hence, if the attacker is able to construct plaintext pairs satisfying Equation (10), 
he can partially encrypt /decrypt the plaintext /ciphertext pairs through rounds 
1,7,6, and 5 and check whether Equation (11) is satisfied. In order to do so, 
the attacker has to guess the subkeys Z \ , Z \ , Z\ for the partial encryption and 
Z\, Z®, Zf, Z®, Z%,Z\-Z\,Z\-Z\ for the partial decryption. However, these 18 
subkeys use only 103 bits of the master key, and hence guessing these key bits 
and checking whether Equation (11) holds for some plaintext /ciphertext pairs 
satisfying Equation (10) yields an attack faster than exhaustive key search. 

Constructing pairs of plaintexts satisfying Equation (10) is not a trivial oper- 
ation. However, if we use the known plaintext model and take sufficiently many 
plaintexts, then Equation (10) may be satisfied sufficiently many times. A naive 
approach would be to partially encrypt all the given known plaintexts through 
round 1 and the KA layer of round 2, and to find the relevant pairs. However, 
even in an optimized manner, this approach would result in guessing 96 key bits, 
which combined with the known plaintext nature of the attack results in a time 
complexity of least 2 128 1-round IDEA encryptions. 

Therefore, we use a modified approach. We use 2 42 5 known plaintexts en- 
crypted under two related keys (a total of 2 43 - 5 related-key known plaintexts), 
and partially encrypt them through the KA layer of round 1. After the KA 
layer, we consider only the pairs that have difference (0, 0040a,, 0, 0040a,). Such 
pairs have difference (0, 0, 0040a,, 0040a,) at the input to the KA layer of round 2, 
independent of the value of the subkeys Z\, Z\ s . With probability 1/2 the dif- 
ference in the third word is canceled by the key difference, and with probability 
2 -16 the difference in the fourth word is canceled by the key difference, leading 
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to a pair that satisfies Equation (10). Hence, the required pairs are detected 
in a two steps algorithm. First the attacker guesses the values of the subkeys 
Z\. Z\.Z\. and Z\ and finds the pairs having difference (0, 0040 x , 0, 0040 x ) after 
the first KA layer. Most of the pairs are filtered at this stage. Then the attacker 
further guesses the values of the subkeys Z\,Z\,Z\, and Z\ and checks which 
of the remaining pairs satisfy Equation (10). 

The attack algorithm on 7.5-round IDEA is as follows: 

1. Ask for 2 42 5 known plaintexts encrypted under K and denote the set of 
plaintexts and ciphertexts by SetP. 

2. Ask for 2 42 5 known plaintexts encrypted under K* and denote the set of 
plaintexts and ciphertexts by SetP*. 

3. For each guess of the subkeys Z \ , Z \ , Z \ , and Z\\ 

(a) Partially encrypt all plaintexts in SetP and in SetP* through the KA 
layer of round 1. 

(b) Find all pairs of Y 1 (encrypted under K) and Y 1 * (encrypted under K*) 
such that Y 1 ® Y 1 * = (0,0040^,0,0040^). 

(c) For each such pair, and each guess of Z^, Zg, Zf , and Z|: 

i. If the pair satisfies Equation (10), guess Zf , Zf , Zf , Zf , Zf ,Zj-Z|, 
and Z 8 -Z 8 and verify whether Equation (11) is satisfied. 

ii. If the equation is not satisfied — discard the subkey guess. 

4. For each remaining subkey, exhaustively try all 25 remaining subkey bits, 
and output the remaining key. 

There are 2 85 pairs of plaintexts, of which 2 85 • 2 -64 = 2 21 have difference 
(0, 0040 x , 0, 0040a,) after the K A layer of round 1. For each guess of Z\, Z\, Zf, and 
Zf , about 2 21 -2 -17 = 16 pairs have a zero difference after the KA layer of round 2, 
satisfying Equation (10). For a correct subkey guess, all these pairs should satisfy 
Equation (11). For wrong subkey guesses, the probability that Equation (11) is 
satisfied for all the pairs is 2 -16 . There are 2 103 possible subkeys, and hence the 
number of subkeys that enter Step 4 is expected to be 2 103 • 2“ 16 = 2 87 . 

The time complexity of the attack is thus dominated by Step 3 (Steps 1 and 2 
have time complexity of 2 42 5 encryptions each, and Step 4 has time complexity 
of 2 87 • 2 25 = 2 112 trial encryptions). Step 3(a) is repeated 2 64 times, and each 
time 2 43 5 values are partially encrypted through one KA layer. Hence, the time 
complexity of this step is 2 64 • 2 43 5 = 2 107 - 5 partial encryptions. Step 3(b) can 
be executed efficiently using a hash table. In Step 3(c) (i) only 2 21 pairs (or 2 22 
values) are analyzed but this step requires guessing 32 more bits (Zf and Zf are 
covered by the bits guessed in Step 3(a)). Thus, the time complexity of the first 
part of this step (finding the pairs satisfying Equation (10)) is 2 64 -2 22 -2 32 = 2 118 
1-round decryptions. The time complexity of the second part of Step 3(c)(i) 
(checking whether Equation (11) is satisfied) is much lower, as even though 9 
more key bits are guessed, there are only 32 pairs (or 64 values) that enter this 
step. Thus, the total time complexity of the attack is about 2 118 • ^ = 2 115 - 1 
7.5-round IDEA encryptions. 



424 


E. Biham, O. Dunkelman, and N. Keller 


6 Summary and Conclusions 

In this paper we presented several new results on the block cipher IDEA: The 
first non-trivial relation involving all the three different operations of IDEA, a 
known-plaintext 5-round attack, a related-key attack on 7.5-round IDEA (with 
two keys) and a related- key rectangle attack on 7-round IDEA (with four keys). 
These results are by far the best known attacks against reduced-round variants 
of the cipher. 

Our paper shows that the linear key schedule of IDEA makes the cipher 
relatively vulnerable to attacks that guess vast amounts of the key. However, 
despite our findings, the full IDEA still resists all known attacks. 
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A A Related-Key Rectangle Attack on 7-Round IDEA 

In this appendix we use the third part of the observation in Section 3 to im- 
prove the 6.5-round related- key rectangle attack presented in [5] and to devise 
a related-key rectangle attack on 7-round IDEA. Due to space constraints, we 
present only the main idea of the attacks and the final results. The detailed 
description of the attacks appears in the full version of the paper. 

We start by devising a new related- key boomerang distinguisher for 5.5-round 
IDEA. The data complexity of the distinguisher is worse than that of the dis- 
tinguisher used in [5] , but it can be used to devise better key recovery attacks. 
We note that the distinguisher used in [5] can be also improved using similar 
techniques. This improvement is also described in the full version of the paper. 

The new 5.5-round distinguisher is applicable for rounds 1.5-6. The first 
related- key differential starts after the KA layer of round 1 with the difference 
(0,0040 x , 0,0040a,) and ends after the M A layer of round 4. The key differ- 
ence is in bit 34, and any non-empty subset of bits {41, 42, ... , 49}. The second 
related-key differential starts at the beginning of round 5 with the difference 
(0,8000a;, 0,0) and key difference in key bit 91. This difference evolves into a 
zero difference after the MA layer of round 6 with probability 1. 

The second differential is quite standard. It is based on cancelling the differ- 
ence in the second word using the key difference in bit 91 (i.e., AKi = egi). Then, 
the zero difference is preserved until key bit 91 is used again in the subkey Z\. 

The first differential is a bit more complicated. A pair with input difference 
a = (0,0040a,, 0,0040a,) to the MA layer of round 1 has difference (0,0,0040a;, 
0040a,) after the MA layer with probability 1. With probability 1/2 the key 
difference cancels the data difference in the third word, and with probability 
2 -16 the key difference cancels the data difference in the fourth word. Thus, with 
probability 2 -17 , the pair has a zero difference after the KA layer of round 2. 
This zero difference is preserved until the last multiplication in the MA layer 
of round 4. Hence, in that MA layer both Ap 4 and the key difference in Z 4 are 
zero. Thus, we can apply the third part of the observation in Section 3 to obtain 
p = 2~ 17 ■ 2 -11 - 86 = 2 -28 - 86 . The key difference AK$ can be any of 511 possible 
values. We use the value AK 0 = 634,49, but it can be any of the other values 
without affecting our attack. 

Using these differentials, we get a 5.5-round related-key boomerang distin- 
guisher that uses 2 59 ' 32 adaptive chosen plaintexts and ciphertexts (2 57 - 32 values 
are encrypted/decrypted using four different keys). 

We now present a related- key rectangle attack [5, 15, 19] on the first 6.5 
rounds of IDEA based on the distinguisher presented above. The attack algo- 
rithm mostly follows the attack algorithm presented in [3] with the few modifi- 
cations needed due to the related-key nature of the attack. 

Let K a ,Kb,K c ,K d be the related keys such that K h = K a CD AK 0 , K c = 
K a ® AKi, and K d = K c ® AKq. The attack algorithm is as follows: 

1. Data Collection Phase 

(a) Generate 2 35 structures Sf, . . S% 35 of 2 28 plaintexts each, where in each 
structure the first word, the six least significant bits of the second word, 
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and the 14 least significant bits of the third word are fixed. Ask for the 
encryption of the structures under K a . 

(b) Flip bit 6 of the second word and bit 13 of the third word of any plain- 
text encrypted under K a , and ask for the encryption of the resulting 
plaintexts under Kf, (to obtain S f { , , S '!^ ) . 

(c) Generate 2 35 structures S '{, . . . , Sf 35 of 2 28 plaintexts each, where in each 
structure the first word, the six least significant bits of the second word, 
and the 14 least significant bits of the third word are fixed. Ask for the 
encryption of the structures under K c . 

(d) Flip bit 6 of the second word and bit 13 of the third word of any plain- 
text encrypted under K c , and ask for the encryption of the resulting 
plaintexts under K,( (to obtain Sf , . . . , Sf 3g ). 

2. Finding Candidate Quartets 

(a) Find all pairs of ciphertexts C a £ Sf and C c £ Sf, such that they have 
the same value in the first, the second, and the third words. 

(b) For each such pair, check whether there are pairs of ciphertexts C& £ Sf 
and Ca £ Sf, such that they have the same value in the first, the second, 
and the third words. If such a pair exists — transfer ( P a , Pb,P c , Pd), the 
corresponding plaintexts, to analysis. 

3. Analysis of Candidate Quartets 

(a) Initialize 2 64 counters, each corresponds to a different guess of Zf,Zf, 
Zf,Zf. 

(b) For each subkey guess of Zf,Zf,Zf,Zf and each candidate quartet, 
check whether the partial encryption and partial decryption of the pairs 
of the quartet lead to the required differences. If this is the case increment 
the respective counter. 

4. Output: Output all subkey guesses whose counter has values greater than 8. 

The analysis presented in the full version of the paper shows that the data 
complexity of the attack is 2 65 related-key chosen plaintexts and the time com- 
plexity is 2 87 memory accesses. 

The 6.5-round attack can be extended to an attack on rounds 1-7 of IDEA 
by partially decrypting all the ciphertexts under all possible values of the key of 
the last MA layer, and applying the 6.5-round attack. A trivial implementation 
of this approach would lead to an attack that requires 2 32 • 2 87 = 2 119 memory 
accesses, and a data complexity of 2 65 related-key chosen plaintexts. 

However, we improve this result by observing that there are 12 shared bits 
between the subkeys Z\ and Z\. This allows us to filter most of the wrong 
candidate quartets, by evaluating the difference after the addition in the KA 
layer of round 1. The improved attack is described in detail in the full version of 
the paper. The data complexity of the attack is 2 65 related-key chosen plaintexts 
and the time complexity is 2 111 memory accesses. Using the conversion of three 
clock cycles for one memory access, and the time measurements of the NESSIE 
project [25], these 2 111 memory accesses are equivalent to 2 104 - 2 7-round IDEA 
encryptions. 
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Abstract. In this paper, we propose a new approach for constructing 
selectively convertible undeniable signature schemes, and present two 
efficient schemes based on RSA. Our approach allows a more direct se- 
lective conversion than the previous schemes, and the security can be 
proved formally. Further, our disavowal protocols do not require paral- 
lelization techniques to reach a significant soundness probability. Also, 
our second scheme is the first selectively convertible scheme which is 
provably secure without random oracles. 

Keywords: undeniable signature, selective conversion, RSA. 

1 Introduction 

1.1 Background 

The concept of undeniable signature (US) schemes was introduced by Chaum 
and van Antwerpen [10]. In an US scheme, the signer issues an undeniable sig- 
nature r which is not publicly verifiable. She then proves the validity or inva- 
lidity of r in zero-knowledge by running a confirmation protocol or disavowal 
protocol with the receiver. US schemes have found various applications in cryp- 
tography such as in licensing software [10], electronic cash [11,2,31], electronic 
voting and auctions. Then there have been a wide range of research covering 
a variety of different schemes for undeniable signatures over the past 15 years 
[7,1,9,8,19,14,18,25,4,17,16,22,3,26,27]. 

Recently, the security of Chaum’s US scheme was proved formally in the 
random oracle model by [28]. Laguillaumie and Vergnaud showed an US scheme 
which is secure in the standard model under the strong Diffie-Hellman (DH) 
assumption [23]. The relations among the security notions for US schemes was 
given by [21]. 

The notion of convertible US schemes was introduced by Boyar et al. [1]. 
A selectively convertible US scheme allows the signer to convert an undeniable 
signature r into a regular signature by releasing a piece of information a at a later 
time. All conversion means that the signer can convert all undeniable signatures 
into regular ones. They showed that if there exists a digital signature (DS) 
scheme, then there exists a convertible US scheme. However, this construction 
is not practical. 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 428-443, 2006. 

© International Association for Cryptologic Research 2006 
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Damgard and Pedersen showed two selectively convertible US scheme schemes 
based on ElGamal signature scheme [14]. In their schemes, a part of the ElGamal 
signature is encrypted by Rabin encryption scheme or by ElGamal encryption 
scheme. However, invisibility is not proved in these schemes 1 , where the invis- 
ibility means that we cannot decide if (m,r) is a valid (message, undeniable 
signature) pair. Note that the invisibility is an essential property required for 
US schemes from the definition. 

Gennaro-Krawczyk-Rabin proposed an RSA-based US scheme which allows 
all conversion efficiently [18]. 2 They also showed a method of selective conversion 
such that the signer releases a non-interactive proof which shows that (to, r) is 
a valid (message, undeniable signature) pair. 

1.2 Our Contribution 

In this paper, we propose a new approach for constructing selectively convert- 
ible undeniable signature schemes, and present two efficient schemes based on 
RSA. Our approach allows a more direct selective conversion than the previous 
schemes, and the security can be proved formally. Further, our disavowal pro- 
tocols do not require parallelization techniques to reach a significant soundness 
probability. Also, our second scheme is the first selectively convertible US scheme 
whose security can be proved without random oracles. 

A selectively convertible US scheme has two modes, the US signature issueing 
mode and the selective conversion mode. In our approach, we consider a DS 
signature issueing mode as well which is described as follows: For a message to, 

- The signer issues an undeniable signature r in the US mode. 

- In the DS mode, the signer issues a as a regular signature on to. 

- In the selective conversion mode, the signer releases cr (which is the same as 
above) to convert the already issued undeniable signature r into a regular 
signature. By using a, the validity of (to, t) is made publicly verifiable. 

We first formalize such US schemes as two-sided undeniable/signature schemes 
(’’two-sided scheme” for short). In the security model, we consider adversaries 
who have access to both the DS-sign oracle and the US-sign oracle. Adversaries 
then try to forge a digital signature a (DS-forgery) or an undeniable signature 
t (US-forgery). See Figure 1. Both types of forgery must be impossible, and 
invisibility must be satisfied. 

We next show an efficient two-sided scheme based on RSA signature scheme 
and Paillier’s encryption scheme [29]. In this scheme, the public-key is an RSA 
modulus N(= pq). 

1 In Sec. 5.1 and Sec.5.2 of [14], the authors wrote only that ”We therefore conjecture 
that ...” on the invisibility of their schemes. 

2 GRK US scheme assumes that there exits an encoding method of messages so that 
the RSA-based DS scheme is unforgeable. However, no such encoding method is 
known in the standard model. Hence GRK US scheme is secure in the random 
oracle model only currently. 



430 K. Kurosawa and T. Takagi 


DS forgery 

T 

DS-sign oracle 4=4^ Adversary <*=> US-sign oracle 

I 

US forgery 

Fig. 1. Adversary in Two-sided scheme 

— Our DS mode is the same as the RSA signature scheme with e = N. That 
is, the signer issues a digital signature a £ Z*N on a message to such that 

a N = H(m) mod N, 

where H is a hash function. 

— Now replace modiV with modiV 2 in the above equation. Then we obtain 
that 

a N = H(m) + tN mod N 2 (1) 

for some r £ ■ We consider that this r is an undeniable signature on 

m. That is, in the US mode, the signer issues the above r as an undeniable 
signature. 

— In the selective conversion mode, the signer releases a (which is the RSA 
signature on m) to convert the already issued r into a regular signature. 
The validity of (to, t) is publicly verified by checking eq.(l). 

This piece of information a released for selective conversion is smaller than 
that of GRK US scheme [18], where the latter is based on the Fiat-Shamir 
heuristic. 3 

Not only the above technique is new, but also our confirmation and disavowal 
protocols are based on a novel approach. In particular, our (zero-knowledge) dis- 
avowal protocol does not require parallelization techniques to reach a significant 
soundness probability. In the previous US schemes, only confirmation protocols 
are known which do not require parallelization techniques. 

We then prove the security of our scheme in the random oracle model. Roughly 
speaking, our scheme relies on RSA assumption and the Nth residuosity 
assumption. 4 

Finally, we show the first selectively convertible US scheme which is provably 
secure in the standard model. It is a two-sided scheme, and it is obtained by 
applying our technique to Cramer-Shoup DS scheme [13] which is known to be 
secure in the standard model. 

Remark 1. In GRK US scheme [18], N = pq, where p and q must be safe primes. 
Galbraith et al. showed a method which can eliminate this restriction [17]. Our 
schemes are totally different from [18,17], and p and q can be any primes. 

3 Since our scheme does not use the Fiat-Shamir heuristic, it uses one random oracle 
H while GRK scheme must use two random oracles (see footnote 2). 

4 On the other hand, GRK US scheme [18] relies on RSA assumption and DDH as- 
sumption over Ztj. where the security model does not consider DS-sign oracle nor 
DS forgery. 
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2 Model and Definitions 

For an algorithm A and its input x, we write y <— A{x) if y is an output of A(x). 


2.1 Syntax 

A two-sided scheme consists of six polynomial time algorithms (Key, DSign, 

DVerify, USign, Convert, UVerify), and two protocols, a confirmation protocol 

Confirm and a disavowal protocol Disavow. 

Key is a probabilistic algorithm which outputs a public-key pk and a secret-key 
sk on input U, where l is a security parameter. The public-key pk specifies 
the message space At, the space of digital signatures V, and the space of 
undeniable signatures U. 

DSign is a (either probabilistic or deterministic) algorithm which outputs a dig- 
ital signature a on input (sk, to), where to is a message. We say that (to, a) 
is a valid D-pair if there exists a random tape such that the algorithm 
DSign (sk,m) outputs a. 

DVerify is an algorithm which, on input ( pk,m,a ), outputs accept if (to, a) is a 
valid D-pair, and reject otherwise. 

USign is a (probabilistic) algorithm which outputs an undeniable signature r on 
input ( sk,m ), where to is a message. We say that (to, t) is a valid U-pair if 
there exists a random tape such that the algorithm USign(,s/c, to) outputs r. 

Convert is an algorithm which outputs a digital signature a for a valid U-pair 
(to, r). More precisely, on input (sk, to, t), it outputs some a <— DSign(s/c, to) 
if (to, t) is a valid U-pair, and T otherwise. Then by using UVerify shown 
below, the validity of (to, t) is made publicly verifiable. 

Note that the above cr is not necessarily a random output of DSign (sk, to). 
It must be related to r so that the validity of (to, r) is made publicly verifiable 
with UVerify. 

UVerify is an algorithm which verifies the validity of (to, t) by using a <— 
Convert(sfc, to, r). More precisely, on input (pk,m,T,a), it outputs accept 
if (to, r) is a valid U-pair and a <— Convert(sfc, to, t), and reject otherwise. 

Confirm is a zero-knowledge proof system for valid U-pairs (m, r). 

Disavow is a zero-knowledge proof system for invalid U-pairs (to, t). 

A two-sided scheme has three modes as follows. 

DS mode: (Key, DSign, DVerify) is used as a DS scheme in an obvious way. 

US mode: (Key, USign, Confirm, Disavow) is used as an US scheme in an obvious 
way. 

Selective conversion mode: Convert and UVerify are used to convert an un- 
deniable signature r on to so that the validity of (to, t) is made publicly 
verifiable. 

The definitions of Convert and UVerify combine DS mode and US mode through 

selective conversion mode. 



432 K. Kurosawa and T. Takagi 


2.2 Security 

In two-sided schemes, adversaries have three goals, DS-forgery, US-forgery and 
invisibility. In the attack game of each goal, we allow A to have oracle access 
to DSign-oracle, USign-oracle, Convert-oracle and Confirm/Disavow-oracle, where 
the last oracle is explained as follows. A queries (rn, t) to Confirm/Disavow- 
oracle. If (to, t) is a valid U-pair, then the oracle returns yes and execute the 
protocol Confirm with A. Otherwise, it returns no and execute the protocol 
Disavow with A. In both cases, the oracle plays a role of the signer and A plays 
a role of the verifier. 

We call DSign-oracle and USign-oracle sign- oracles, and Convert-oracle and 
Confirm/Disavow-oracle decision- oracles. 

Table 1. Sign-oracles and Decision-oracles 


I Sign-oracles I DSign-oracle, USign-oracle ]j 
| Decision-oracles | Convert-oracle, Confirm/Disavow-oracle| 


(1) We define DS-forgery as follows. Any adversary A can obtain a valid D- 
pair (to, cr) if A queries to to DSign-oracle or A queries a valid U-pair (to, t) 
to Convert-oracle. (In the latter case, Convert-oracle returns cr.) We require that 
there is no other method for A to output a valid D-pair. Formally, we consider 
the following game. An adversary A is given a randomly generated public-key 
pk. A then has access to all oracles. Finally A outputs a forgery (m*,cr*). 

We say that (to*, a*) is not fresh if A queries to* to DSign-oracle or A queries a 
valid U-pair (to*, r) to Convert-oracle for some r. Otherwise we say that (to*, cr*) 
is fresh. We say that A DS-forges if (to*, cr*) is a valid D-pair, and it is fresh. 
We show an example by using Table 2. In this example, 

1. A queried to* to DSign-oracle and received cr,. 

2. A queried nij to USign-oracle and received Tj. A next queried (m,j,Tj) to 
Convert-oracle and received oj. 

3. A queried m.k to USign-oracle and received r; ;: . 

4. A queried me to no sign-oracle. 

A finally outputs (m*,cr*). If (m*,cr*) is a valid D-pair and to* = me, then A 
succeeds in DS-forgery. A also succeeds even if to* = to*,. It is easy to see that 
(m*,cr*) is fresh in these cases. 

Definition 1. We say that a two-sided scheme is DS-secure if Pr/4 DS-forges] 
is negligible for any PPT adversary A. 

In selective convertible US schemes, A should not be able to forge a converter 
a for an already issued U-pair (m, r). In two-sided schemes, this security notion 
is included in the above definition. 

(2) We define US-forgery as follows. Suppose that an adversary A finally outputs 
a valid U-pair (m*,r*), where A has never queried to* to USign-oracle, but it 
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queried to* to DSign-oracle. Is it a forgery ? Our definitions of Sec. 2.1, however, 
does not exclude the possibility that one can construct r* from a valid D-pair 
(to*, cr*). Indeed, this is the case in our constructions. 

Hence we consider that A succeeds in US-forgery if A has never queried to* 
to any sign-oracle. We say that a valid U-pair (m*,r*) is fresh if A has never 
queried to* to any sign-oracle. We also consider that A succeeds in US-forgery 
if she queries a fresh (m*,r*) to one of the decision oracles during the attack 
game. 

Formally, we consider the following game. An adversary A is given a randomly 
generated public-key pk. A then has access to all oracles. We say that A US- 
forges if A outputs a fresh (m*,r*) or A queries a fresh (to*,t*) to one of the 
decision-oracles. 

Let’s consider the example which is shown in the previous case (1) by using 
Table 2. Suppose that A finally outputs a valid U-pair (m*,r*). If to* = me, 
then A succeeds in US-forgery. However, A does not succeed if to* = to,;. 

Definition 2. We say that a two-sided scheme is US-secure ifPv[A US-forges] 
is negligible for any PPT adversary A. 

Table 2. Query pattern and DS/US forgery 



TOi 

mj 

m k 

nh 

DSign-oracle 

<Ji 


(cr*) 

A*) 

USign-oracle 


Tj 

jl\ 

in 

Convert-oracle 


(Tj 

n 



(3) The third security notion is invisibility, a notion due to Chaum, van Heijst 
and Pfitzmann [9] . This notion is essentially the inability to determine whether 
a given U-pair is valid. We consider the following game on a distinguisher D. 

1. D is given a randomly generated public-key pk. D then has access to all 
oracles. 

2. At some point, D outputs a message to* which has never been queried to 
any oracle, and requests a challenge undeniable signature A on to*. 

3. A is generated based on the outcome of a hidden coin toss b. If b = 1 , then 
A is generated as usual using USign-oracle, otherwise A is chosen uniformly 
at random from the undeniable signature space U. 

4. D performs oracle queries again with the restriction that no sign-oracle query 
on to * is allowed, and no decision-oracle query on ( to * , A ) is allowed. 

5. At the end of this attack game, D outputs a guess b' . 

Define Adv inv (D) = | Pr {V =b)- (1/2) |. 

Definition 3. A two-sided scheme is invisible if Advi nv (D) is negligible for any 
PPT D. 

Definition 4. We say that a two-sided scheme is secure if it is DS-secure, US- 
secure and invisible. 
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3 Proposed Two-Sided Scheme in RO Model 

Now we show an efficient two-sided scheme in the random oracle model based 
on RSA and Paillier’s encryption scheme [29] . 

3.1 Paillier’s Encryption Scheme 

In Paillier’s encryption scheme [29], the public-key is N(= pq), and the private- 
key is (p, q), where p and q are large primes. The encryption function for a 
message rn £ Z N is given by 

£7(m, r) = r N (l + mN) mod N 2 , 

where r £ Z* N is randomly chosen. E has a homomorphic property such that 

E(mi,ri) ■ E(rri 2 ,r 2 ) = £7(toi + m 2 mod N, nr 2 mod N) mod N 2 . 

(For decryption, see [29].) We say that Y £ Z* N - 2 is an iVth residue if Y = 
x N mod N' 2 for some x £ Z* N . Note that £7(0, r) is an JVth residue. 

3.2 Proposed Scheme 

The proposed two-sided scheme is described as follows. Let m £ (0, 1}* be a 
message. 

— Key Generation. On input l f: , choose two primes p, q such that \p\ = \q\ = £ 
randomly and compute N = pq. Find d such that Nd = 1 mod lcm(p — 
1 ,q— 1). Let H : (0, 1}* — > Z^ be a hash function. Set the public key as 
pk — ( N , H) and the secret key as d. 

— DSign. Compute a = H(m) d mod N and return a as the digital signature. 

— DVerify. For a given (to, a), output accept if <j n = H(m) mod N and reject 
otherwise. 

— USign. First compute a = H(m) d mod N. Next compute r such that 

a N = H(m) + TN mod N 2 . (2) 

Finally return r as the undeniable signature. 

— Convert. For a given (to, t), first compute cr = H(m) d mod N . Next output 
a if eq.(2) is satisfied, and T otherwise. 

— U Verify. For a given (m, r, cr), output accept if eq.(2) is satisfied, and reject 
otherwise. 

For confirmation/disavowal protocols, we use the following Lemma. 

Lemma 1. (to, r) is a valid U-pair if and only if there exists a £ Z ^ such that 
£7(0, a) = H(m) + tN mod N 2 , 

where £7 is an encryption function of Paillier’s encryption scheme. 
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The proof is clear from eq.(2). Now given (to, t), the signer computes (3 £ Zn 
such that 

E(p, a) = H{m) + tN mod N 2 . (3) 

If (3 = 0, then the signer runs a confirmation protocol which proves that 6 = 0. 
Otherwise, the signer runs a disavowal protocol which proves that (3 ^ 0. 

We will show efficient protocols based on the homomorphic property of Pail- 
lier’s encryption scheme [29]. 

3.3 Confirmation Protocol 

We first show a basic confirmation protocol which proves that (3 = 0 in eq.(3). 

1. The verifier chooses u, v £ Zn and w£Z* n randomly, and compute 

y = ( H(m ) + tN) u E(v,w) mod N 2 . 

He then sends y to the signer. Note that it holds that for some r £ Z* N , 
y = E(0, a ) u E(v, w) = E( 0 x u + v, r) = E( v, r ) mod N 2 . 

2. By using the decryption algorithm of Paillier’s encryption scheme, the signer 
decrypts y and obtains v' such that y = E(v' ,r') for some r' . Then she sends 
v' to the verifier. 

3. The verifier accepts if v' = v, and rejects otherwise. 

Theorem 1. Completeness, //(to, r) is a valid U-pair, then the verifier al- 
ways accepts. 

Soundness. If (to, r) is not a valid U-pair, then the verifier rejects with over- 
whelming probability. 

The proof is given in Appendix A. Finally, we construct a zero-knowledge con- 
firmation protocol as follows, where commit(x) is a commitment function. 

1. The verifier sends 

y = ( H(m ) + tN) u E(v, w) mod N 2 (4) 

to the signer, where u,v £ Zn and w£Z* n are randomly chosen. 

2. The signer computes v' such that y = E(v' ,r'), and sends c = commit{v') 
to the verifier. 

3. The verifier reveals u, v, w. 

4. The signer checks if eq.(4) holds by using u,v,w. If it holds, then the signer 
opens c = commit{v'). Otherwise, she aborts. 

5. The verifier accepts if v' = v, and rejects otherwise. 

Theorem 2. The above protocol is zero-knowledge confirmation protocol if (i) 
commit(x) reveals no information on x, and (ii) the signer cannot find x' such 
that commit(x ) = commitfx'). 

The proof will be given in the final version. In the random oracle model, we can 
use a simple commitfx) shown by Pass [30, Sec. 4.1] as follows. 

Commit phase. For x £ Zn, Alice chooses r € Z* N randomly and sends c = 
H(x, r) to Bob. 

Reveal phase. Alice sends (x,r) to Bob. Bob checks that c = H(x,r). 
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3.4 Disavowal Protocol 

We first show a basic disavowal protocol which proves that /? ^ 0 in eq.(3). 

1. The verifier chooses u £ and weZ* N randomly, and computes 

y = ( H(m ) + tN) u E(0,w) mod N 2 . 

He sends y to the signer. Note that for some r&Z* N , 

y = E((3, a) u E( 0, w) = E(/3 x u mod N, r) mod N 2 . (5) 

2. The signer first computes x such that y = E(x, r'), where x = ft ■ u mod N 
from eq.(5). She next computes ul = x/ (3 mod N. Then she sends u' to the 
verifier. 

3. The verifier accepts if u' = u, and rejects otherwise. 

Similarly to Theorem 1, we can prove the following theorem. 

Theorem 3. Completeness. If ( m , r) is not a valid U-pair, then the verifier 
always accepts. 

Soundness. If ( m , r) is a valid U-pair, then the verifier rejects with overwhelm- 
ing probability. 

Finally we construct a zero- knowledge disavowal protocol as follows, where commit(x ) 
is a commitment function given in the previous subsection. 

1. The verifier sends 

y = (H(m) + tN) u E(0, w) mod N 2 (6) 

to the signer, where u £ and weZ* N are randomly chosen. 

2. The signer first computes (3 of eq.(3) and x such that y = E(x, r'). She next 
computes u' = x//3 mod N. Then she sends c = commit(u') to the verifier. 

3. The verifier reveals u, w. 

4. The signer checks if eq.(6) holds by using u,w. If it holds, then the signer 
opens c = commit(u'). Otherwise, she aborts. 

5. The verifier accepts if u' = u, and rejects otherwise. 

Theorem 4. The above protocol is zero-knowledge disavowal protocol if (i) 
commit(x) reveals no information on x, and (ii) the signer cannot find x' such 
that commit(x) = commit{x'). 


The proof will be given in the final version. 
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3.5 Security of Our Scheme 

RSA assumption with e = N ( 7V-RSA Problem) claims that given an RSA 
modulus N and a random y £ Z*N, it is hard to compute x £ Z* N such that 
y = x N mod N . We now define the N 2 - RSA problem as follows. Given an RSA 
modulus N and a random Nth residue Y £ Z* N2 , compute x £ Z* N such that 
Y = x N mod N 2 . The JV 2 -RSA assumption claims that the N 2 - RSA problem is 
hard. We then prove that the proposed scheme is DS-secure under the iV 2 -RSA 
assumption. 

Theorem 5. The proposed scheme is DS-secure under the N 2 -RSA assumption 
in the random oracle model. 

The proof is given in Appendix B. It use the techniques of Coron [12] which was 
also used by [28] . 

Given an RSA modulus N and a random y £ Z%,. the computational iVth 
Residuosity (CNR) problem is to find z £ Z^ such that y + zN = x N mod N 2 
for some x £ Z* N . The CNR assumption claims that the CNR problem is hard. 
Catalano et al. proved that CNR problem is as intractable as the one-wayness 
of Paillier cryptosystem [6]. We prove that the proposed scheme is US-secure 
under the CNR assumption. 

Theorem 6. The proposed scheme is US-secure under CNR assumption in the 
random oracle model. 

The proof will be given in the final paper. 

Let Residue^ = {Y \ Y = x N mod N 2 for some x £ Z^}. Decisional iVth 
Residuosity (DNR) assumption claims that Residue^ and Z* N2 are indistinguish- 
able. More precisely, we consider the following game between a challenger and a 
distinguisher D. For a given N(= pq): 

1. The challenger chooses a random bit b. If b = 0, then he chooses Y from 
Residue a? randomly. If b = 1, then he chooses Y from Z^ r2 randomly. He 
then gives Y to D. 

2. D outputs a bit b' . 

Define Advdnr(D) = Pr(// = b) — (1/2) |. The DNR assumption claims that 
Advdnr(D) is negligible for any PPT distinguisher D. This problem was first 
addressed in Paillier cryptosystem, namely Paillier cryptosystem is IND-CPA 
under DNR assumption [29]. 

We prove that the proposed scheme is invisible under DCR assumption. 
Theorem 7. The proposed scheme is invisible under DNR assumption in the 
random oracle model. 

The proof will be given in the final paper. 

It is easy to see that the following reductions hold for the underlying problems. 

1. AT-RSA Problem => CNR Problem => DNR Problem, 

2. 7V-RSA Problem => 1V 2 -RSA Problem, 

3. CNR Problem + iV 2 -RSA Problem => iV-RSA Problem. 
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4 How to Remove Random Oracle 

In this section, we show an efficient two-sided scheme in the standard model. 
Cramer-Shoup showed an adaptively secure DS scheme under strong RSA as- 
sumption in the standard model [13] . It can be seen as a special case of Shamir- 
Tauman construction [32] which transforms a weakly secure DS scheme (secure 
against weak non-adaptive chosen message attack) to an adaptively secure one 
by combining with a trapdoor commitment scheme. In particular, in Cramer- 
Shoup scheme, a trapdoor commitment scheme is based on GQ identification 
scheme [15]. 

Our two-sided scheme is constructed by modifying Cramer-Shoup DS scheme 
as follows. First, our DSign algorithm is almost the same as Cramer-Shoup DS 
scheme except that we use two moduli, Ni(= piqi) for GQ-based trapdoor 
commitment scheme and jV2(= P‘2<1‘2) for a weakly secure signature part, while 
Cramer-Shoup scheme uses a single modulus. Next our USign algorithm is ob- 
tained by extending our technique of Sec.3 to the GQ-based trapdoor commit- 
ment scheme. 

4.1 Scheme 

(Key Generation) Let l be a security parameter. 

1. Choose four Gbit primes Pi,qi,P 2 , 92 randomly such that p -2 = 2// + 1 and 
92 = 2 q' + 1, where p' and q' are primes. Let N\ = p\q\ and N 2 = p-iqi- 

2. Choose hi and h 2 ,x G QRn 2 randomly, where QRn denotes the set 

of quadratic residues of mod IV. 

3. Find d such that N i d = 1 mod lcm(pi — 1 , 9i — 1). Let H be a collision- 
resistant hash function whose output can be interpreted as a positive integer 
less than 2 ( . 

4. Set the public- key as pk = (Ni,hi, N 2 , h 2 , x, H) and the secret-key a s sk = 
(d,P2,q2)- 

DSign. For a message m G {0, 1}*, first choose 1 / G Z* Ni randomly and compute 
x' G Zjsi 1 such that 

{y') Nl =x'h* {m) mo&Ni, (7) 

(where x' can be seen as a commitment of to). Next choose a (t + l)-bit prime 
e randomly and compute y such that 

y e = xh^ x ' mod N 2 , (8) 

(where ( e,y ) is a weakly secure signature on x'). The digital signature on to is 
a= ( e,y,y '). 

DVerify. For a given (to, a), first check if e is an (£ + l)-bit number. Second, 
x! = {y') Nl h^ H< ' rn} mod N\ is computed. Third, it is checked that x = y e 'h~ l HI '' x ^ 
mod N 2 . 
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USign. For a message m £ {0, 1}*, first compute a = (e, y, y') as shown in DSign. 
Next compute to £ Zn 1 such that 

(y') Nl = u + uN 1 mod Nl (9) 

where u = x'hf^ mod Aq . Finally return r = (e.y, x' ,uj) as the undeniable 
signature on to. (Note that the above equation is basically the same as eq.(2)). 
Convert. For a given to and r = (e,y,x',uj), first check if e is an (£ + l)-bit 
number and ( e,y,x ') satisfies eq.(8). Next compute y 1 £ Z_\r 1 which satisfies 
eq.(7). Finally check if (y',cj) satisfies eq.(7). If everything is OK, then output 
0 - = {e,y,y'). Otherwise, output _L. 

UVerify. For a given to, t = (e, y. x' ,oj) and a = (e, y. y'j, output accept if e 
is an (£ + l)-bit number, and eq.(7), eq.(8) and eq.(9) are satisfied, and reject 
otherwise. 

In the confirmation protocol, the signer proves that for a valid U-pair, to and 
r = (e, y, x',uj), there exists cr = (e, y, y') which satisfies eq.(7), eq.(8) and eq.(9). 
Essentially, this means that the signer proves that there exists y' £ Z^ 1 which 
satisfies eq.(9). Such a zero-knowledge protocol can be constructed similarly to 
Sec. 3. 3. 

In the disavowal protocol, the signer proves that for an invalid U-pair m and 
r = (e,y,x',u>), there exists no cr = (e,y,y') which satisfies eq.(7), eq.(8) and 
eq.(9). If eq.(8) is not satisfied, then we have done. If eq.(8) is satisfied, then 
the signer proves that there exists no y' £ Z^ which satisfies eq.(9). Such a 
zero-knowledge protocol can be constructed similarly to Sec.3.4. 

In these protocols, we can use a commitment function based on RSA assump- 
tion as shown in [20, Sec.3]. Also, see [18, page 405]. 

4.2 Security 

The strong RSA assumption claims that given an RSA modulus N and a random 
y £ Z* N . it is hard to find e > 1 and x £ Z'* N such that y = x e mod N. 

We define the strong CNR problem as follows. Given an RSA modulus N and 
a random z £ Z* N , find a > 1 and c £ Zn such that w = z a + cN mod N 2 
is an Nth residue. Solving the CNR problem implies an algorithm for solving 
the strong CNR problem, but the other direction is unknown. The strong CNR 
assumption claims that the strong CNR problem is hard. 

Theorem 8. The above scheme is US-secure under the strong RSA assumption 
and the strong CNR assumption in the standard model. 

Theorem 9. The above scheme is DS-secure under the strong RSA assumption 
and the strong CNR assumption in the standard model. 

Theorem 10. The above scheme is invisible under DNR assumption in the 
standard model. 

All the proofs will be given in the final paper. 
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A Proof of Theorem 1 

The completeness is clear. We prove the soundness. Suppose that (m, t) is not 
a valid U-pair. Then we can write 

E(ft, a) = H(m) + tN mod N 2 

for some ft £ Z^ and a £ Z* N , where ft 0 from Lemma 1. Then y is written as 
y = E(ft,a) u E(v,w) = E(t,r), 

where 

t = ft ■ u + v mod N and r = <j u ■ w mod N. 

Now it is easy to see that for any v' £ Zn, there exists unique u',w' £ Z^ such 
that 

t = ft ■ v! + v' mod N and r = a u ■ w' mod N 

if gcd(/3, N) - 1. This means that the prover cannot compute v correctly more 
than guessing. Hence the verifier rejects with overwhelming probability. 
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B Proof of Theorem 5 

We show that if there exists a PPT adversary A with Pr[A DS-forges] = ca, 
then one can construct a PPT algorithm M that can solve the iV 2 -RSA problem 
with probability cm, by running A as a subroutine. Suppose the input to M is 
( N,Y ), where Y = x N mod N 2 for some x g Z^. 

M then starts running A by feeding A with the public key (N, H) where H is 
a random oracle that will be simulated by M. M also simulates the sign-oracles 
and the decision-oracles itself. 

We assume that when A requests a sign-oracle query or a decision-oracle query 
on a message m*, it has already made the corresponding H query on m, : . When 
A makes a H- oracle query for a message m,, M chooses n € Z* N randomly and 
behaves as follows. 

— With probability 5, return hi = Hfruf) = rA mod N. Let flagi = 0, cr, = r,, 
and compute n e Z* N such that rf = hi + TiN mod N 2 . 

— With probability 1 — 5, return hi = H(rrii) = Yr'f mod N. Let flagi = 1, 
and compute n e Z% such that rfY = hi + r t N mod N 2 . 

In the above, 6 is a fixed probability which will be determined later. 

Suppose that A makes a sign-oracle query for a message to*. 

- Suppose that flagi = 0. If the query is a DSign-oracle query, then M returns 
a i . If it is a USign-oracle query, then M returns T{. 

- Suppose that flagi = 1- If the query is a USign-oracle query, then M returns 
Tj. If the query is a DSign-oracle query, then M aborts and it fails to solve 
7V 2 -RSA problem. 


flagi 


DSign-oracle query 

USign-oracle query 

0 

l : f r ^h~+fWinodN ,r 

(Ji = fi 

Ti 

l 

Yr f = hi + nN mod N 2 

Abort 

Ti 


Next, suppose A makes a decision-oracle query for 

- Suppose that r' f t, : . If the query is a Convert-oracle query, then M returns 
_L. If the query is a Confirm/Disavow-oracle query, then M returns no and 
runs the disavowal protocol with A. 

— Otherwise, t[ = r*. If the query is a Confirm/Disavow-oracle query, then M 
returns yes and runs the confirmation protocol with A. 

Suppose that the query is a Convert-oracle query. If flagi = 0, then M 
returns cq. If flagi = 1, then M aborts and it fails to solve A—RSA problem. 

In the above, M can simulate the Confirm/Disavow oracle by using the rewinding 
technique because the protocols are zero-knowledge. 

Now suppose that A DS-forges, and outputs a valid D-pair (m*,a*) at the 
end of the game. We assume that A has queried the fL-oracle on rn* and so 
m* = rrij for some j. 
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— If flagj = 0, then M aborts. 

— Otherwise, flagj = 1. Since is a valid D-pair, it holds that 

hj + tjN = (a*) N mod N 2 . 

On the other hand, r^Y = hj + tjN mod N 2 since flagj = 1. Therefore, it 
holds that 

rfV = ( a*) N mod N 2 . 

Y = (a* /rj) N mod N 2 . 

Now let x = a */rj mod N. Then it is easy to show that x N = (a * /rj) N mod 
N 2 . Therefore, it holds that 


Y = x N mod N 2 . 

Consequently, M outputs x e Z *N and thus it solves jV 2 -R,SA problem. 

To complete the proof, it remains to calculate the probability that M does 
not abort. Let qn be the number of DSign-oracle queries and that A issues. The 
probability that M answers to all DSign-oracle queries is S qD , and flagj = 1 for 
mj = m* is 1 — 5. Therefore, the probability that M does not abort during the 
simulation is S qD ( 1 — (5). This value is maximized at S opt = 1 - 1 /(qo + 1)- This 
shows that cm is at least (l/e(l + g£>))c4, where e is the base of the natural 
logarithm. This is because the value (1 - 1 /(qo + 1)) 9D approaches 1/e for large 
qs- This completes our proof. 
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Abstract. Non-interactive zero-knowledge proofs play an essential role in many 
cryptographic protocols. We suggest several NIZK proof systems based on prime 
order groups with a bilinear map. We obtain linear size proofs for relations among 
group elements without going through an expensive reduction to an NP-complete 
language such as Circuit Satisfiability. Security of all our constructions is based 
on the decisional linear assumption. 

The NIZK proof system is quite general and has many applications such as 
digital signatures, verifiable encryption and group signatures. We focus on the 
latter and get the first group signature scheme satisfying the strong security defi- 
nition of Bellare, Shi and Zhang [7] in the standard model without random oracles 
where each group signature consists only of a constant number of group elements. 

We also suggest a simulation-sound NIZK proof of knowledge, which is much 
more efficient than previous constructions in the literature. 

Caveat: The constants are large, and therefore our schemes are not practical. 
Nonetheless, we find it very interesting for the first time to have NIZK proofs 
and group signatures that except for a constant factor are optimal without using 
the random oracle model to argue security. 

Keywords: Non-interactive zero-knowledge, simulation-sound extractability, 
group signatures, decisional linear assumption. 

1 Introduction 

A non-interactive proof system allows a prover to convince a verifier about the truth of 
a statement. Zero-knowledge captures the notion that the verifier learns no more from 
the proof than the truth of the statement. We refer to the full paper [28] for formal def- 
initions of non-interactive zero-knowledge (NIZK) proofs. Our goal in this paper is to 
construct short efficient prover NIZK proofs for languages that come up in practice when 
constructing cryptographic protocols. As an example of the usefulness of these new tech- 
niques, we construct group signatures consisting of a constant number of group elements. 

1.1 Setup 

We use two cyclic groups G,Gi of order p, where p is a prime. We make use of a 
bilinear map e : G x G — > Gi. I.e., for all u,v € G and a, b e Z we have e(u a , v b ) = 
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e(u, v) ab . We require that e(g, g) is a generator of Gi if g is a generator of G. We also 
require that group operations, group membership, and the bilinear map be efficiently 
computable. Such groups have been widely used in cryptography in recent years. 

Let Q be an algorithm that takes a security parameter as input and outputs (p, G, Gi , 
e, g) such that p is prime, G, Gi are descriptions of groups of order p, e:GxG-»Gi 
is an admissible bilinear map as described above and g is a random generator of G. 

We use the decisional linear assumption from Boneh, Boyen and Shacham [10]. 

Definition 1 (Decisional Linear Assumption (DLIN)). We say the decisional linear 
assumption holds for the bilinear group generator Q if for all non-uniform polynomial 
time adversaries A we have 

Pr [(p,G,Gi,e,ff) <- G(l k ); x, y, r, s <- Z p : 

A(p,G,G 1 ,e,g,g x ,g y ,g xr ,g ys ,g r+s ) = lj 
* Pr [C P, G, Gr, e, g) <- Q{ l fe ); at, y, r,s,d^Z p : 

A(p,G,G 1 ,e,g,g x ,g y ,g xr ,g ys ,g d ) = lj. 

Throughout the paper, we work over a bilinear group (p, G, Gi, e, g) <— G(l k ) gener- 
ated such that the DLIN assumption holds for Q. We call this a DLIN group. Honest 
parties always check group membership of G, Gi when relevant and halt if an element 
does not belong to a group that it was supposed to according to the protocol. 

Given a DLIN group (p, G, Gi, e, g) we can set up a semantically secure cryptosys- 
tem as in [10]. We choose at random x,y <— Z*. The public key is ( f,h ), where 
/ = g x ,h = g v , and the secret key is (x, y). To encrypt a message m e G we choose 
r,s<—Z p and let the ciphertext be (u, v, w) = ( f r ,h s , g r+s m) . To decrypt a ciphertext 
(u, v, w) e G 3 we compute to = D(u, v, w) = vT 1 / x v- 1 / y w. 

The cryptosystem (K c pa , E, D) has several nice properties. The DLIN assumption 
for Q implies semantic security under chosen plaintext attack (CPA). All triples (u, v, 
w) e G 3 are valid ciphertexts. Also, the cryptosystem is homomorphic. 

E(mi] ri, si)E(m,2,r2, S2) = -E(miTO2; rq + 7-2, si + S2). 


1.2 Pairing Product Equations 

Given a group (p,G,Gi,e,g) we define a pairing product equation of length t over 
variables 01 , . . . , a n to be an equation of the following form. 

JJ e(qj t 0, Qj, 1) = 1, where q jtb = b jjb a e /' b ' i with b jib € G , e jtb ,i & Z p . 
j= 1 tij 

Given a set S of pairing product equations eq x eq m we can ask the natural ques- 

tion: Is there a tuple (01 , . . . , a n ) € G" such that all equations in S are simultaneously 
satisfied? 
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To illustrate the generality of the language of satisfiable pairing product equations we 
observe a reduction from the NP-complete language Circuit Satisfiability. Let ai, ... ,a n 
correspond to the wires of the circuit, which without loss of generality contains only 
NAND-gates. Let S contain equations e(ai,aig~ 1 ) = 1 forcing each a, = g bi to 
encode a bit € {0,1}. For each NAND-gate with input wires io,ii and output 
i -2 add to S the equation e(di 0 ,ai 1 ) = e(g,ga^ 1 ), which is satisfied if and only if 
&< 2 =- 1 (6i 0 A&i 1 ). 

Our main motivation for being interested in satisfiability of pairing product equations 
is not NP-completeness though. Satisfiability of pairing product equations comes up in 
practice when constructing cryptographic protocols and by making a direct NIZK proof 
instead of first reducing the problem to some other language such as Circuit Satisfiabil- 
ity we keep proofs short. 

For concreteness, let us use verifiable encryption as an example of a pairing product 
satisfiability question that may come up in practice. Suppose (u, v, w) is a ciphertext 
under the public key (/, h) of the DLIN-based cryptosystem described earlier. We are 
interested in whether this ciphertext encrypts a particular message to. This is the case, 
if and only if there exists a such that e(g, u) = e(a, /) and e(h, wm~ 1 a~ 1 ) ) = e(v. g). 
If we know r, s we can compute the satisfiability witness a = g r . 

1.3 NIZK Proofs for Satisfiability of Pairing Product Equations 

NIZK PROOFS. The central technical contribution of this paper is an NIZK proof of 
size 0(n + £) group elements for satisfiability of a set of pairing product equations of 
combined length t = J2 jLi t j ■ The proof system has perfect completeness and perfect 
soundness. 

Related work on NIZK proofs. NIZK proofs were introduced by Blum, Feld- 
man and Micali [9] and they suggested an NIZK proof for a single statement based on 
the hardness of deciding quadratic residousity. Blum et al. [8] extended this to multi- 
theorem NIZK proofs. Feige, Lapidot and Shamir [25] and Kilian and Petrank [33] give 
constructions based on trapdoor permutations. 

Recently Groth, Ostrovsky and Sahai [30] have constructed NIZK proofs from com- 
posite order bilinear groups introduced by Boneh, Goh and Nissim [11], Even more 
recently Groth, Ostrovsky and Sahai [29] have introduced the setting in this paper, a 
bilinear group of prime order and the DLIN assumption. They construct non-interactive 
witness-indistinguishable proofs without any setup assumptions. In the common refer- 
ence string (CRS) model both results give NIZK proofs for Circuit Satisfiability of size 
0(\C\) group elements. 

All the above-mentioned papers have in common that they focus on an NP-complete 
language, usually Circuit Satisfiability, and suggest a bit-by-bit or gate-by-gate NIZK 
proof for this language. Our paper differs by introducing new techniques that allows 
making direct NIZK proofs for satisfiability of pairing product equations. This allows us 
to construct constant/linear size cryptographic protocols for digital signatures, RCCA- 
secure encryption[20], verifiable encryption and group signatures. 

The only other way we know of to get linear size NIZK proofs/arguments for any 
practical language is the Fiat-Shamir heuristic: Make a 3-move public coin (honest ver- 
ifier) zero-knowledge protocol non-interactive by computing the verifier’s challenge as 
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a hash of the statement and the initial protocol message. To argue security, one models 
the hash-function as a random oracle [6], It is well known that using the random oracle 
model sometimes results in insecure real life protocols [18,19,34,27,4], In comparison, 
our NIZK proofs have provable security under the DLIN assumption. 
Simulation-sound extractable NIZK PROOFS. Combining the definitions of 
simulation-soundness introduced by Sahai [35] and proofs of knowledge from De San- 
tis and Persiano [23], we get simulation- sound extractability. Here the simulator first 
creates a simulated CRS together with a simulation trapdoor and an extraction trap- 
door. We require that even after the adversary has seen simulated proofs on arbitrary 
statements, if it constructs a new valid proof on any statement, then we can extract a 
witness. Simulation-sound extractability is a very strong notion, in particular it implies 
non-malleability as defined by De Santis et al. [22], 

We construct a simulation- sound extractable NIZK proof for satisfiability of pairing 
product equations. Our NIZK proof has a CRS with a description of the group and a 
constant number of group elements, and the proofs consist of 0{n + i) group elements. 
Related work on simulation-sound NIZK proofs. As stated before, our in- 
terest in this paper is satisfiability of pairing products equations. However, in order to 
compare our scheme with previous work let us look at the case of Circuit Satisfiabil- 
ity. [35] constructed a one-time simulation-sound NIZK proof system using techniques 
from Dwork, Dolev and Naor [24]. Later a construction for unbounded simulation- 
sound extractable NIZK arguments was given by [22], where the adversary can see 
many simulated arguments of arbitrary statements. The schemes from both these papers 
are based on trapdoor permutations but are not practical. For the sake of fairness in eval- 
uating the quality of our contribution, we have also considered whether the techniques 
from [30] could be used to get good efficiency for simulation-sound extractability. The 
answer to this question seems to be negative, the best construction we can think of using 
GOS-techniques gives an additive polynomial size overhead. 


Scheme 

NIZK proof bit size 

Assumption 

[22] 

0(|C|poly(fc)) 

Trapdoor permutations 

Potential use of [30] techniques 

0{\C\k + poly (At)) 

Subgroup decision 

This paper 

0(\C\k) 

DLIN 


Fig. 1. Comparison of simulation-sound extractable proofs for Circuit Satisfiability 

Common reference string versus uniform random string. We will con- 
struct NIZK proofs and simulation-sound extractable NIZK proofs in the common ref- 
erence string model, where the prover and the verifier both have access to a CRS chosen 
according to some distribution. If this distribution is uniform at random we call it the 
uniform random string model. In some settings it is easier to work with a URS, for in- 
stance a URS can easily be jointly generated using multi-party computation techniques. 

Our NIZK proofs use a common reference string that contains a description of a bi- 
linear group and a number of group elements. Depending on the group elements, the 
CRS will give either perfect soundness of perfect zero-knowledge. With overwhelming 
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probability random group elements will lead to a perfect soundness CRS. Assuming that 
we can use a uniform random string to get a description of a DLIN group and a number 
of random group elements, we will therefore get NIZK proofs and simulation- sound 
NIZK proofs in the URS-model. Since there is a negligible chance of picking a per- 
fect zero-knowledge CRS, this gives statistical soundness instead of perfect soundness, 
which is the best we can hope for in the URS-model. We remark that natural candidates 
for bilinear DLIN groups based on elliptic curves are efficiently samplable from a URS 
[29], For the sake of simplicity we will just work with the CRS-model in the paper, but 
invite the reader to note that all constructions work in the URS-model as well. 

1.4 An Application: Constant Size Group Signatures 

Group signatures, introduced by Chaum and van Heyst [21], allow a member to sign 
messages anonymously on behalf of a group. A group manager controls the group and 
decides who can join. In case of abuse, the group manager is able to open a signature 
to reveal who the signer is. It is hard to design group signatures and most schemes 
[17,16,3,14,2,13,31,15,10,26,32] use the random oracle model in the security proof. 

Bellare, Micciancio and Warinschi [5] suggest rigorous security definitions for group 
signatures in the static case where the set of members is fixed from the start and never 
changes. Bellare, Shi and Zhang [7] extend the security model to the partially dynamic 
case where the group manager can enroll new members in the group. Both [5] and 
[7] suggest constructions of group signatures based on trapdoor permutations. These 
constructions are very inefficient and only indicate feasability. 

Boyen and Waters [12] use a combination of the Waters signature scheme [36] and 
the [30] NIZK proofs. They assume a static setting and as part of a group signature they 
encrypt the identity of the signer bit by bit. This means that a group signature consists of 
0(log n) group elements, where n is the number of members in the group. The group 
signature scheme satisfies a relaxed version of the [5] security definition, where the 
anonymity is guaranteed only when no signatures have been opened and traced to the 
signer. In comparison, the full-anonymity definition in [5] demands that anonymity is 
preserved even when the adversary can get an opening of any other signature than the 
challenge. 

Ateniese et al. [1] use a bilinear group of prime order. The advantage of this scheme 
is that it is very efficient, a group signature consists of 8 group elements. However, they 
use several strong security assumptions and their security model is even weaker than 
that of [12] since it does not protect against key-exposures; knowledge of a signing key 
immediately allows one to tell which signatures this member has made. In comparison, 
the BMW,BSZ-models do guard against key exposure. 

The tools in this paper give a construction of group signatures where both keys and 
signatures consist of a constant number of group elements. The construction involves 
carefully constructing and tailoring a signature scheme and the simulation- sound ex- 
tractable NIZK proof system such that they fit each other. The constant is large; we 
do not claim this to be a practical scheme. Rather this should be seen as an interest- 
ing feasibility result; under a simple and natural security assumption there exists an up 
to a constant optimal dynamic group signature scheme satisfying the strong security 
definitions from [5,7], 
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Scheme 

Signature in bits 

Security model 

Assumption 

[5] 

poly(fc) 

BMW [5] (fixed group) 

Trapdoor permutations 

[7] 

poly(fc) 

BSZ [7] (dynamic group) 

Trapdoor permutations 

[12] 

3 k + 2k log n 

BMW [5], CPA-anonymity 

Subgroup decision and CDH 

[1] 

8k 

UC-model, non-adaptive adv. 

Strong SXDH, q-EDH, strong LRSW 

This paper 

O(k) 

BSZ [7] 

DUN 


Fig. 2. Comparison of group signature schemes 


2 Preliminaries 

2.1 Definitions: Non-interactive Zero-Knowledge Proofs 

We provide formal definitions of non-interactive proofs, perfect completeness, perfect 
soundness, unbounded adaptive zero-knowledge, composable zero-knowledge, perfect 
proofs of knowledge, simulation soundness and simulation- sound extractability in the 
full paper. Here we will just sketch one useful stronger definition of zero-knowledge 
that we have not seen elsewhere in the literature. 

Composable ZERO-KNOWLEDGE. We define composable zero-knowledge by mak- 
ing two requirements. First, a real CRS is computationally indistinguishable from a 
simulated CRS; we call this reference string indistinguishability. Second, the adversary 
even when it gets access to the simulation trapdoor r, cannot distinguish real proofs on 
the simulated CRS from simulated proofs. We call this simulation indistinguishability. 
We refer to the full paper for the formal definition and a proof that composable zero- 
knowledge implies the standard notion of unbounded adaptive zero-knowledge usually 
found in the literature. 

Our motivation for introducing the notion of composable zero-knowledge is that it al- 
lows different zero-knowledge proofs for different languages to use the same CRS. Sup- 
pose we have relations R\,...,R n and corresponding NIZK proof systems ( K , P\,V\), 
. . . , ( K , P n , V n ) with composable zero-knowledge using the same key generator and 
CRS simulator K, Si. A hybrid argument shows that no non-uniform polynomial time 
adversary can distinguish real proofs on a simulated CRS from simulated proofs on this 
CRS for relation even if it sees arbitrary proofs or simulations for statements in 
Lj^i using the same CRS. The reason is that in the definition of simulation indistin- 
guishability we give r to the adversary, so it can itself implement the simulator for 
any relation Rj^a. 

Composable zero-knowledge implies that the zero-knowledge property still makes 
sense when many different NIZK proofs use the same CRS. In our paper, all the NIZK 
proofs will indeed generate the CRS in the same way and simulate the CRS in the same 
way, so we get better performance by not having to deal with different CRSs for each 
proof system. At the same time, it simplifies the paper. 

2.2 A Homomorphic Commitment Scheme 

We use the cryptosystem from Section 1.1 to create a homomorphic commitment 
scheme such that depending on how we generate the public key we get either a per- 
fectly binding commitment scheme or a perfectly hiding trapdoor commitment scheme. 




450 


J. Groth 


The idea is that if K is an encryption of 1 , then K m E(l: r, s ) is also an encryption of 
1 and we have a perfectly hiding commitment to m. On the other hand, if K is not an 
encryption of 1 , then K m E( 1 ; r, s) is perfectly binding. 

Perfectly binding key generation: Let ck = (p, G, Gi , e, g, f, h, u, v, w) where f, h 
is a public key for the cryptosystem and ( u,v,w ) = (f ru , h Sv , g tw ) with t w ^ 
r u + s v is an encryption of a non-trivial element. 

Perfectly hiding trapdoor key generation: Let ck = (p, G, Gi , e, g, f, h, u, v, w) 
where /, h is a public key for the cryptosystem and (u, v,w) = { f Tu , h ' Sv , y r “ +s '’ ) 
is an encryption of 1. 

The corresponding trapdoor key is tk = (ck, x, y, r u , s v ). 

Commitment: To commit to message m GZ P pick r, s <— Z p and let the commitment 

be c = (ci, C2, C3) = com (to; r, s) = ( u m f r , v m h s ,w m g r+s ). 

The commitment schemes (-Kbindmg, com) and (Abiding- com) have several nice 
properties. The CPA-security of the cryptosystem implies that one cannot distinguish 
perfect binding keys from perfect hiding keys. This in turn implies computational hiding 
respectively computational binding for the two schemes. The homomorphic property of 
the cryptosystem transfers to the commitment scheme. 

com(mi + m2; j"i + r2, si + S2) = com(mi; ry, si)com(m2; V2, S2). 

For the perfectly binding commitment scheme, any c £ G 3 is a commitment to some 
message m e Z p . 

3 Efficient Non-interactive Zero-Knowledge Proof Systems 

The construction of our NIZK proof for satisfiability of pairing product equations is 
very complex and requires many new techniques. We will therefore build it in a modular 
fashion from NIZK proofs for simpler relations. Even some of these simpler NIZK 
proofs are complex and we can only sketch the ideas behind the constructions here. The 
full paper [ 28 ] contains full constructions and security proofs. 

3.1 Common Reference String 

All the NIZK proofs in this section use the same CRS generator K and CRS simula- 
tor Si described below. A CRS is a public key for the perfectly binding commitment 
scheme described in the previous section. The soundness of the NIZK proofs comes 
from the perfect binding property of the commitment scheme, which makes it impos- 
sible for any adversary to cheat. In simulations, we use a public key for the perfectly 
hiding commitment scheme as the simulated CRS. 

Common reference string 

Generate a = (p, G,Gi,e,g, f, h,u, v,w) <— ^binding (l* 5 )- 1 

1 Both the CRS generator K and the CRS simulator Si first create a DLIN group honestly. This 
means that instead of generating the CRSs from scratch, it is also possible to build any of the 
NIZK proofs we construct in the following sections on top of an already existing DLIN group. 
When doing so we write a <— K(p, G,Gi, e, g) or (a, r) <— Si(p,G,Gi, e , g). 
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Simulated reference string 

Generate (a, r) <— Khiding (l fc ), where a = ( p , G, Gi, e, g, /, h, u, v, w ) and r = 
( x,y,r u ,s u ). 

The CPA-security of the cryptosystem gives us the following lemma. 

Lemma 1. If (p, G, Gi, e, g) is a DLIN group, then ( K , Si) has reference string indis- 
tinguishability. 

3.2 NIZK Proofs for Commitment to 0 

Let i? Z ero = {(C) (r, s)) | c = com(0; r, s)} define the language of commitments to 0. 
The proof of the following theorem can be found in the full paper. 

Theorem 1. There exists an NIZK proof system (K, P zeio , V zeio , Si,S zeio ) for R zero 
with perfect completeness, perfect soundness and composable zero-knowledge with per- 
fect simulation indistinguishability under the DLIN assumption for Q. The proof con- 
sists of 1 group element (it = g r ). Verification corresponds to evaluating two pairing 
product equations. 

3.3 Proof for Committed Multiplicative Relationship 

Consider three commitments c a , q, , c c such that the corresponding messages have a 
multiplicative relationship m c = m a mb. The corresponding relation is .Rmuit = {((c a , 
Cb,c c ),(m a ,r a ,s a ,mb,rb,sb,r c ,s c )) \ c a = com(m a ; r a , s a ), Cb = com(mb;rb,Sb), 
c c = com(rn a mf,; r c , s c )}. 

Theorem 2. There exists an NIZK proof ( K , P mu it) Knuit> Si, Smuit) far -Rmuit with 
perfect completeness, perfect soundness and composable zero-knowledge if the DLIN 
assumption holds for Q. A proof consists of 36 group elements. Verification corresponds 
to evaluating a set of pairing product equations. 

Sketch of proof. c a ,Cb, c c have a multiplicative relationship if and only if 

c c = c™° com(0; r c - m a rb, s c - m a Sb ). 

To prove the latter, it suffices to reveal m a , and prove that c a com(— m a ; 0, 0) and 
CcCffa 1 " are commitments to 0. To get zero-knowledge, we tweak this idea in a way 
such that m a is not revealed directly. 

The main trick in the NIZK proof is to pick exponents r, s at random, which will be 
used to hide m a . Using (K, P zeio , V zeio ) we prove that 

c a com(l; 0, 0) _ ^ r+s+m °^(com(l; 0, 0)7To,i) r (com(l; 0, 0)7To,3) s 
and c c c“ ( r+s+m “) (c b TT 0 p) r (c 6 7ro i4 ) s 

are commitments to 0, where 7To,i, 7 To,2) tto, 3 ) tto ,4 are themselves commitments to 0. 

Revealing the components com(l; 0, 0) r+s+ma , c r b +s+ma , the verifier can use the 
bilinear maps to check that there exists some common exponent t = r + s + m a , even 
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though it cannot compute the exponent itself. Similarly, revealing (com(l; 0 , 0)7ro,i) r , 
(c&7To,2) r and (com(l; 0, 0)7To,3) s , (05^0,4 )' s allows the verifier to check that there exist 
common exponents r, s. 

We are verifiably using the same exponents r, s, t on com(l; 0 , 0 ) and Cb to get re- 
spectively c a and c c . This shows that 

c a com(l; 0,0) r+s_t and c c c£ +s-t 

are both commitments to 0 . The only way this can be possible is when m a = t — r — s. 

Computational simulation indistinguishability follows from the fact that while we 
use the same exponents, we use different bases. Therefore, at no point is any element 
itself raised to m a , which the adversary could potentially use to detect whether it was a 
correct proof or one created by a simulator, which does not know m a . The commitments 
7 To,i; tto,2> tto,3> tto, 4 rerandomize the bases that we raise to r, s and therefore t = r + 
s + m a is indistinguishable from t random, so m a is hidden. P 

3.4 NIZK Proof for Commitment to Exponent 

We have two elements a, b and a commitment c to the exponent msob= a m . R expo = 
{(( a,b,c),(m,r,s )) | b = a m ,c = com(ra; r. s)} defines the language of such 
statements. 

Theorem 3. There exists an NIZK proof ( K , P exp OJ Pxpoi Si, S e%po ) for P e x P 0 with 
perfect completeness, perfect soundness and composable zero-knowledge with perfect 
simulation indistinguishability if the DLIN assumption holds for Q. A proof consists of 
8 group elements. Verification consists of evaluating a set of pairing product equations. 

Sketch of proof. If a f 1 then one can use the bilinear map to verify that a pair of 
commitments 7Ti, 7r m have the same exponent m so n m = 7 r™. If ”1 is a commitment 
to 1 , then7r m is a commitment to m. What remains is to prove that 7riCom(— 1 ; 0 , 0 ) and 
c m n n 1 are commitments to 0 , which we can do with the NIZK proof for commitment 
to 0. 

To prove zero-knowledge we observe that on a perfect hiding key ck 

7Ti = (a xri , a ysi , a ri+Sl ) and 7r m = (b xri ,b ysi ,b ri+Sl ) 

gives us commitments so ir m = tt-"' , even though we do not know m itself. □ 

3.5 NIZK Proof for Generalized Pedersen Commitment 

Consider a Pedersen commitment to many messages b = g* n"=i a T' ■ Let c t , ci , . . . , c„ 
be commitments to the exponents. The language of multi-message Pedersen commit- 
ments and corresponding exponent-commitments is defined by R m - pe a = {((ai, 

. . . ,a n ,b,c t ,ci, ... ,Cn ), (t,r t ,s t ,mi,ri,si, . . ■ ,m„,r„,s n )) | b=g t f[" =1 a™ i ,c t = 
com(t; rt , St), Cj = com (m;, r 4 , s 4 )}. 

Theorem 4. There exists an NIZK proof (K, P rn _ pe d- Kn- pe d, ■ ‘‘’'m-ped) for 
P m — P ed with perfect completeness, perfect soundness and composable zero-knowledge 
if the DLIN assumption holds for Q. The proof consists o/ 63 n — 4 group elements. The 
verification consists of evaluating a set of pairing product equations. 
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Sketch of Proof. The hard part in constructing an NIZK proof for f? m _ pe a is to construct 
a proof for the one-message Pedersen commitment relation R ver \, which is done with 
techniques related to the NIZK proof for multiplicative relationship, see the full paper 
for details. Once we have that, we split b into n one-message Pedersen commitments 
b = nr=i k* = nr=iWV‘) Choosing the tfs at random so t = U and make 
commitments c ti to the tf s. We make an NIZK proof for R pe d for each of the statements 
("i.bon.c,,). n 

3.6 NIZK Proof for Committed Bilinear Product 

We can commit to a±,bi, . . . ,a n ,b n in the following way. We form A, = g r< a t and 
commitments c Ti to r,; . Similarly, we form B, = g Si bi and commitments c Si to s t . We 
are interested in knowing whether nr=i e ( a L h) = 1- 

Let i?bii-prod = {(^4i, c ri , Bi, c Sl , . . . , A n , c rn , B n , c Sn ), (ri,r ri ,s ri ,si,r Sl ,s Sl , 

. . . ,r n ,r rn , s Tn , s n ,r Sn , s Sn ) | Ai = g ri a,i,Bi = g Si bi,c n = com (r*; r ri , s r4 ),c S4 = 
com(sj; r Si , s Si ), nlLi e ( a L &») = 1}. 

Theorem 5. There exists an NIZK proof (K, Pbii-prod, K>ii- P rod> Si, 5'bii-prod) for 
-Rbii-prod with perfect completeness, perfect soundness and composable zero-knowledge 
under the DLIN assumption for Q. Proofs consist o/228n — 3 group elements and ver- 
ification corresponds to evaluating a set of pairing product equations. 

Sketch of proof. The key observation in the construction is that if and only if n"_i e(a,, 
bfj = 1. we have for arbitrary Ri, Si, . . . , R n , S n e that 

f[e(Ai,Bi) = f\e{g r \g s 'b l )e{g r 'a h g s ')e{g r \g si )~ 1 f[e(ai,bi) 

= f\e{g,B i ) ri e{A i ,g) Si e{g,g)- riSi = e(g,g ~ ^ JJ A ? Bflj 

= e (g,g-^(rM s A f[A?B?) f[e(g R fg s *). 
i= 1 

In the NIZK proof, we pick R\ , Si , . . . , R n , S n at random. We commit to Ri , Si and 
we already have commitments to r* , s* . We reveal the 2n+l elements g Rl , g Sl , . . . , g Rn , 
g Sn and g~ ^i=i( riSi+R ’ : ' s ') n”=i A^BB.We then use NIZK proofs for i? expo , 
-Rm-ped to prove that they have been formed correctly. 

In the simulation, we observe that for arbitrary R\ , S\ , . . . , R n , S n 

n e(^, Bi) = e(g, g~ % R ^ A~ Si B~ Ri ) f[ eig^A^g^Bf). 

Picking Ri, Si, . . . ,R n , S n randomly means all elements have the same distribution 
as in a real proof on a simulated CRS. We can then simulate the NIZK proofs for 

-Rexpo, -Rmult, -Rm-ped- □ 
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3.7 NIZK Proof for Satisfiability of Pairing Product Equations 

Recall from the introduction that a pairing product equation is of the form 

eq(oi, ■ • ■ , a„) : q jt i) = 1 , where q jtb = b j>b a®"’ 6 ' 4 , 

for known bj tb £ G and £ Z p . A set S of pairing product equations eq-, . . . . , eq m 
is said to be satisfiable if there exists (ai, . . . , a n ) £ G” such that all equations are 
satisfied. Let i? ppsat = { S | 3(oi, . . . , a n ) £ G" Ve<?£ £ S : eqk(ai, . . . , a n ) = 
true}. We conclude this section with the following main theorem. 

Theorem 6. There exists an NIZK proof (K, P ppsat , lp psat , Si , S ppsa t) for i? ppsat with 
perfect completeness, perfect soundness and composable zero-knowledge if the DLIN 
assumption holds for Q. Proofs consist of 4 n + 228£ — 3to group elements, where 
l = Y^k= i ^k- Verification consists of evaluating a set of pairing product equations. 
Sketch of proof In the NIZK proof, we first commit to each a* as g t{ ai and com(fj) . Us- 
ing homomorphic properties, it is straightforward for qk,j,b in equation eqk to compute 
g tk ' i ’ b Qk,j,b and com(tkj, b ) as 

*»«**.< (b k ,j,b f[ 

i=l i= 1 

and com(ti) ek ’ :i ’ b ’ i = com (^2^k,j,b,i)- 

For each pairing product equation eq ; . make an NIZK proof for i?bii- P rod that 

Uj%i e (Qk,j.o,qkj,i) = V □ 

Nesting NIZK PROOFS. Since verification consists of verifying a set of pairing prod- 
uct equations, we can nest NIZK proofs inside one another. I.e., we can prove that there 
exists an NIZK proof such that there exists an NIZK proof such that, etc. Each level of 
nesting costs a constant blow-up factor. In comparison, this is very expensive with other 
NIZK proofs and impossible in the random oracle model. 

Reducing the number of variables. Consider a set of pairing product equations 
over n variables with combined length t. We show in the full paper that there is a set 
of pairing product equations of length I over n ’ < 2 1 variables, such that this set is 
satisfiable if and only if the original set is satisfiable. This gives us NIZK proofs of 
length 0{l) group elements for satisfiability of pairing product equations. 

4 Simulation-Sound Extractable NIZK Proof for Satisfiability of 
Pairing Product Equations 

A CMA-SECURE signature SCHEME. With the help of the NIZK proof for i? ppsat , 
we can construct a digital signature scheme secure against adaptive chosen message 
attack (CMA). 
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Theorem 7. Under the DLIN assumption there exists a CMA-secure digital signature 
scheme (K s i gn , Sign, Ver) for signing n group elements with perfect correctness. The 
verification key and the signatures consist ofO(n) group elements and the verification 
process consists of evaluating a set of pairing product equations. 

Due to lack of space we refer the reader to the full paper [28] for the construction and 
the proof. We remark on one issue that makes the construction non-trivial. Our NIZK 
proofs work for pairing product equations. Since we want to use the NIZK proofs on 
encrypted signatures, we cannot use a hash-function in the signature scheme, since we 
do not know how to make NIZK proofs for correct hashing without an expensive NP- 
reduction to e.g. Circuit Satisfiability. 

Simulation-sound extractable NIZK PROOFS. We will combine the CMA- 
secure signature scheme with the NIZK proofs to construct an unbounded simulation- 
sound extractable NIZK proof for f? P p Sat . 

Common reference string and simulated reference string: Given a group ( p , G, Gi, 

e, g ) pick CMA-secure signature keys (vk, sk) <— K s i gn (p, G, Gi, e, g), keys for 
the CPA-secure cryptosystem ( pk , sk c pa ) <— K cp a(p, G, Gi, e, g) and make a ci- 
phertext ci <— E pk (t) for t f 1 . Let a <— K(p, G, Gi , e, g) be a CRS for our NIZK 
proofs. 

The CRS is E = ( vk,pk , c\,a). 

In the simulation we pick ci = E pk ( 1 ; r c , s c ) and let the simulation trapdoor be 
r = (sk, r c , s c ) while the extraction key is £ = sk cp a . 

Proof: Given a set of pairing product equations S and a satisfiability witness w = 
(ai a n ) the proof is constructed as follows. 

Pick keys (vk so ts , sk so ts ) for a strong one-time signature scheme. 2 Encrypt c w <— 
E p k(ai, . . . , a n ) and c s = E pk ( 1 , . . . , 1). Make an NIZK proof 7r ssor of the fol- 
lowing statement: Either c w contains a satisfying witness, or ci contains 1 and c s 
contains a signature under vk on vk so ts . We refer to the full paper how to use the 
NIZK proof for R ppsa .t to prove satisfiability of at least one out of two sets of pair- 
ing product equations. Finally, sign everything s so ts <— Sign sfesots (S, c w ,c s , ir SSOT ). 
The proof is n = (vk so t s , c w ,c s , n SSOT , s so ts)- 
Simulation: Pick keys (vk so t s , sk sots ) for a strong one-time signature scheme. Sign 
vk sots as s <— Sign sk (vk sots ) . Encrypt c w <— E pk ( 1, . . . , 1) and c s = E pk (s). 
Make an NIZK proof 7r ssor of the following statement: Either c w contains a satisfy- 
ing witness, or ci contains 1 and c s contains a signature under vk on vk so ts . Finally, 
sign everything s so ts «— Sign sfcsots ( S,c w , c s ,ir SSOI ). 

Verification and extraction: Accept the proof if and only if the strong one-time sig- 
nature s S ots and the proof 7r ssor are valid. 

To extract a witness simply decrypt c w . 

Theorem 8. If (p, G,Gi,e, g) is a DLIN group then (K sse ,P sse ,V sse ,Si tSse , 
S sse , Ei tSse , E sse , SEi tSse ) is an NIZK proof for R ppsa .t with perfect completeness, per- 
fect soundness, perfect knowledge extraction and composable zero-knowledge and un- 
bounded simulation- sound extractability. The size of the CRS is 0(1) group elements, 
while the NIZK proofs consist ofO(n + £) group elements. 


See the full paper for a DLIN group based strong one-time signature scheme. 
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Sketch of proof. On a real CRS, c\ does not contain 1, and therefore by the perfect 
soundness of the NIZK proof c w must contain a satisfiability witness w. In simulations, 
ci does contain 1, however, since the proverdoes not know the signing key sk he cannot 
create signatures on vk so ts of his own choosing and he cannot recycle a vk so ts either 
because he does not know the corresponding signing key sk so ts . Therefore, he cannot 
encrypt a signature in c s , so he must still encrypt a satisfiability witness in c w . We can 
then decrypt c w and extract the witness. We refer to the full paper for details. □ 

5 Constant Size Group Signatures Without Random Oracles 

Security definitions. [7] define three security properties that a group signature 
must satisfy: anonymity, traceability and non-frameability. We refer to the full paper for 
formal definitions and to [7] for a discussion of why this is a strong security definition 
that incorporates previous security requirements found in the literature. The definition 
allows for separating the roles of the group manager into an issuer who can enroll 
members and an opener that can open signatures to see who created it. 

Anonymity: Only the opener can see who created a signature. This property must hold 
even if the members’ keys are exposed and the issuer is corrupt. 

Traceability: If the issuer is honest then all signatures will be correctly opened to some 
member. 

Non-frameability: Even if the issuer and opener are both corrupt, they still cannot 
create a valid signature and a convincing opening that frames an honest member 
that did not sign it. 

A GROUP signature scheme. We imagine that there is a PKI in place so we have 
authenticated public keys. We model this by having a public key registry reg where only 
user i has one-time write access to reg[i\, we do not attempt to keep this information 
secret. User i stores his secret key in gsk[i], unless compromised only the user has 
access to this key. 

Key generation: We create the group public key gpk = ( vk,pk , E), where vk is a 
verification key for the CMA-secure signature scheme, pk is a public key for the 
CPA-secure cryptosystem and E is a CRS for the simulation-sound extractable 
NIZK proof. The issuer’s key ik is the signing key for the signature scheme, while 
the opener’s key ok is the decryption key for the cryptosystem. 

Join/Issue: The user i registers a public key vki for the CMA-secure signature scheme 
in reg[i] and stores the corresponding secret key ski. The issuer signs it as cerf <— 
Sign ife (ufcj). The user verifies the correctness of the signature and stores gsk[i\ = 
( ski,vki,certi ). 

Sign: To sign m £ {0, 1}*, member i creates a strong one-time signature key pair 
{vk so ts,sk so t s ). Using skj he signs the verification key, s t <— Sign s ki (vk sots ). He 
then creates an encryption c of (vki, certi, sf) and makes a simulation- sound ex- 
tractable NIZK proof 7r that the plaintext is correctly formed. Finally, he makes a 
strong one-time signature s sots <— Sign sfcsota (to, vk so ts , c, n). 

The group signature on to is s = (vk so ts , c, n, s so ts ). 
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Verify: Accept if the strong one-time signature and the NIZK proof are valid. 

Open: To open a valid group signature we decrypt c. We get some (vie* , cert * , s*) and 
look up the member i who registered vk*. In case no such member exists, we set 
i = issuer. We return an opening (i, ip), where ip = ( vk*,cert*,s *). 

Judge: Anybody can check whether cert* is a signature on vk * under vk, and whether 
s* is a signature on vk so ts under vk* . If vk* has been registered for user i, or no 
vk * has been registered and i = issuer we accept the opening. 

Theorem 9. If the DLIN assumption holds for Q then there exists a group signature 
scheme with anonymity, traceability and non-frameability and perfect correctness. All 
public keys contain 0(1) group elements, openings contain 0(1) group elements, and 
signatures contain 0(1) group elements and elements from 7L V . 

Sketch of proof We get anonymity, because the information (vki, certi, Si) that could 
identify the signer is encrypted and the NIZK proof is zero-knowledge. Seeing openings 
of other group signatures does not help, because when a CPA-secure cryptosystem is 
combined with a simulation-sound proof of knowledge of the plaintext, then it becomes 
CCA2-secure, see also [23], 

We get traceability because by the soundness of the NIZK proof system we must have 
a correct ( vk*,cert*,s *) inside the ciphertext. Since only the issuer knows the signing 
key ik, nobody else can forge a certificate cert*. This means, the group signature must 
point to some member i, not the issuer. 

We have non-frameability because a valid signature and a valid opening pointing to 
i contains a signature s * under vki on vk so ts , so vk sots must have been signed by the 
member. Furthermore, since it is a strong one-time signature scheme and the public key 
vk so t s is used only once by i, it must also be this member that made the signature s so ts 
on (m, vksots, c, 7r). 

The full paper [28] contains a more detailed construction and the full proof. Q 
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Abstract. The group signature scheme [1], ACJT for short, is popular. 
In this paper we show that it is not secure. It does not satisfy excul- 
pability. The group manager can sign on behalf of any group member. 
The drawback found in the scheme shows that some inductions are not 
sound, though they are prevalent in some so-called security proofs. 

Keywords: group signature, exculpability, anonymity. 


1 Introduction 

Group signatures, introduced by Chaum and Heyst [2] , allow individual members 
to make signatures on behalf of the group. Generally, a group signature must 
satisfy the following properties [1] : 

Unforgeability: Only group members are able to sign messages on behalf 
of the group. 

Anonymity: Given a valid signature of some message, identifying the actual 
signer is computationally hard for everyone but the group manager. 
Unlinkability: Deciding whether two different valid signatures were pro- 
duced by the same group member is computationally hard. 

Traceability: The group manager is always able to open a valid signature 
and identify the actual signer. 

Coalition-resistance: A colluding subset of group members (even if com- 
prised of the entire group) cannot generate a valid signature that the group 
manager cannot link to one of the colluding group members. 
Exculpability: Neither a group member nor the group manager can sign 
on behalf of other group member. 

Group signatures can be used to constitute a very useful primitive in many 
settings. It has become a hot problem to research group signatures in recent 
[3-7]. 

At Crypto’2000, Ateniese et al. [1] proposed a group signature scheme. The 
authors claimed that the scheme was practical and provably secure coalition- 
resistant. Recently, we find it is false. The group manager can sign on behalf 
of any group member. That is to say, the popular group signature scheme does 

X. Lai and K. Chen (Eds.): ASIACRYPT 2006, LNCS 4284, pp. 460-466, 2006. 
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not satisfy exculpability. It’s the first time to show that the signature scheme 
is not secure. The attack developed in the paper is novel and interesting. The 
drawback found in the popular signature scheme shows that some inductions are 
not sound, though they are prevalent in so-called security proofs. 

The rest of the paper is organized as follows. The next section reviews ACJT 
group signature scheme. An attack is presented in Section 3. Some conclusion 
remarks are given in Section 4. 

2 Review 

Let e > 1 ,k,£ p be security parameters and let Ai,A 2 , 7 i ,72 denote the lengths 
satisfying 

Ai > e(A2 + k) + 2 , A2 > 4 i p , 71 > £(72 + k) + 2 , 72 > Ai + 2 . 

Define the integral ranges 

A =] 2 Al -2 A2 , 2 Al +2 Aa [, r =] 2 7 l - 2 ' w , 2 71 + 2 ^ 2 [. 

Finally, let Ti be a collision-resistant hash function Ti : {0, 1}* — * {0, l} k . 

The initial phase involves the group manager (GM) setting the group public 
key y and his secret key S. 


SETUP: 

1. Select random secret fy-bit primes p' . q' such that p = 2p' + 1 and q = 2q' + 1 
are primes. Set the modulus n = pq. 

2. Choose random elements a, ao,g,h Er QR(n ) (of order p'q'). 

3. Choose a random secret element x Er Z*, q , and set y = g x mod n. 

4. The group public key is : y = (n, a , ao, y, g , h). 

5. The corresponding secret key (known only to GM) is: <S = (p', q', x). 


Suppose now that a new user wants to join the group. We assume that com- 
munication between the user and the group manager is secure. The selection of 
per-user parameters is done as follows: 

JOIN: 

1. User Pi generates a secret exponent x t Er ]0, 2 a = [, a random integer 
r Er ]0,n 2 [ and sends Ci = g Xi h r mod n to GM and proves him 
knowledge of the representation of C\ w.r.t. bases g and h. 

2. GM checks that Ci E QR(n). If this is the case, GM selects a* and 
0i Er ]0, 2 As [ at random and sends (aj,/3j) to P t . 

3. User Pi computes Xi = 2 Al + (a^ap + Pi mod 2 Aa ) and sends GM 
the value C 2 = a Xi mod n. The user also proves to GM: 

(a) that the discrete log of C 2 w.r.t. base a lies in A, and 
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(b) knowledge of integers u,v, and oj such that 

i. u lies in ] — 2 A2 ,2 A2 [, 

ii. u equals the discrete log of C 2 /a 2 1 w.r.t. base a, and 

iii. C\ H g ai equals g u {g 2> ' 2 ) v h u . 

(The statements (i— iii) prove that the user’s membership secret aq = 
log a C 2 is correctly computed from C\ , a, , and /3,;.) 

4. GM checks that C 2 € QR(ri). If this is the case and all the above 
proofs were correct, GM selects a random prime e* £r P and computes 
Ai := (C^aoj 1 / 6 * mod n. Finally, GM sends Pi the new membership 
certificate [A;,ej]. (Note that = (a Xi aoY^ ei mod n.) 

5. User Pj verifies that a Xi ao = A f \' mod n. 

Armed with a membership certificate [A^e*], a group member can generate 
anonymous and unlinkable group signatures on a generic message m £ {0, 1}* : 

SIGN: 

1. Generate a random value uj £r {0, 1} 2 G and compute: 

T\ = Aiy w mod n, T2 = g u mod n, T3 = g ei h u mod n. 

2. Randomly choose rq £r ±{0, l} e ^ 2 + k \ r2 ±{o, l} e ( A2 + fc ), 
r 3 Gr ±{0, i}d7i+2G+fc+i) 5 r4 ±{o, l} e t 2 ^+ fc ) and compute: 

di = Tp /(a r2 y r3 ) mod n, d 2 = Tp /g rs mod n 
d 3 = g ri mod n, di = g ri h ri mod n 

c = H(g || h || y || a 0 || a || Ti || T 2 || T 3 || d\ || d 2 || d 3 || d 4 || m) 
si = rq — c(ej — 2 71 ), s 2 = r 2 — c(aq — 2 Al ), 
s 3 = r 3 — ceiU), s 4 = Vi — coj (all in Z). 

3. Output (c,Si,S 2 ,S3,S4 ,Ti,T 2 ,T 3 ). 

A verifier can check the validity of a signature (c, si,s 2 ,s 3 ,S4 ,Ti,T 2 ,T 3 ) on 
the message m as follows: 

VERIFY: 

1. Compute 

c' = H(g \\h\\y || a 0 || a || Ti || T 2 || P 3 || d\ || d 2 || d 3 || d 4 || m) 
where 

d[ = a 3 Tp~ c2 1 /(a S2_c2 1 y S3 ) mod n, d 2 = Tp ~ c 2 1 /g S3 mod n, 
d 3 = T 2 g Si mod n, d 4 = T 3 g Sl ~ c2 1 h Si mod n 

2. Accept the signature if and only if c = d and 

si e ±{o, i}d72+fe)+i ) S2 {o 1 }6(A 2 +fc)+i j 

S 3 e dq-l 0. l}d7i+2G+fc+l) + l ; S4 e ± j 0j 1 |e(2^+fc) + l_ 
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In case of a dispute, GM executes the following procedure: 


OPEN: 

1. Check the signature’s validity via the VERIFY procedure. 

2. Recover A, : (and thus the identity of P*) as A, = Tj/Pf mod n. 

3. Prove that \og g y = log T2 (Pi/A, : mod n). 

Remark 1: In the original description [1], we observe that 

r 3 Gr ±{0, i}d7i+2b>+fc+i) ) s 3 e ±{o, 1 |«(^i+ 2 G+ fc +i)+i 

It’s not difficult to find it should be corrected to keep the consistency between 
r 3 and S3. 


3 Analysis 

In this section, we show that ACJT group signature scheme doesn’t satisfy excul- 
pability. More precisely, we find the group manager (GM) can sign on behalf of 
any member if GM replaces Step 2 in the original SETUP phase with following: 


2. Choose random elements ao,g, h Gr QR{ri) (of order p'q') 
and set a = (mod n), where t Gr Z * p , q ,. 


Then GM records {a Xi , A, : , e,;) in the JOIN phase (pointing to the member P,;). 
Note that no member can prevent GM from setting a = Oq (mod n). 

Using (t, a Xi , A;, e*) and the secret key ( p',q '), GM can sign on behalf of the 
member P, . Given a message to, GM proceeds as follows: 

1. Choose uj Gr {0, 1 } 2{p and compute: 

Ti = Aip u mod n, T 2 = g u mod n, T 3 = hP mod n. 

2. Choose 61,62 &r Z„,7*4 Gr ±{0, i}«( 2 G+fe) an d compute 

di = (a Xi ) bl y b2 , d ,2 = g b2 , d 3 = g r4 -, d± = g biei h r 4 (mod n). 
c = H(g || h || y || a 0 || a || Ti || P 2 || T 3 || di || d 2 || d 3 || d 4 || m ) 

3. Choose X Gr A and compute 

Pi = (c + 61) e*, P 2 = c X + t _1 (c + 61), P3 = cjRi — 6 2 (mod 

4. Choose proper pi, p 2 , p 3 G Z such that 

n = Pi + /> 1 0(11) e A{(). 

r 2 = P 2 + p 2 <f>(n) G ±{0, l} £ ( A2+fc ) 

r 3 = P 3 + p 3 </>(n) g ±{0, l}d7i+ 2 G+fc+i) 
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(Since Ri,R 2 ,R 3 € Z„, n = (2 p' + 1)(2 q' + 1 ), \p'\ = \q'\ = £ p , e > 1 , 71 > 
e(72 + k) + 2, 72 > Ai + 2, Ai > e(A2 + k) + 2 and A2 > , it’s easy to find 
Pi,p2,P3 € Z satisfying the above restrictions.) 

5 . Compute 


si = n - c(ei - 2 71 ), s 2 = r 2 - c(X - 2 Al ), 

S3 = ^3 - ceiuj, S4 = Vi — cu> (all in Z). 

6 . Output (c,Si,S 2 ,S3,S4,Ti,T2,T 3 ). 

Correctness: For convenience, denote by £,• the inverse of e,; modulo 7 (n), i.e., 
e* £* = 1 mod </>(n) 

Hence, we have 

4 = aZTr^/ia^'y**) = a c 0 (A iy “y'-^/(a r *- cX y r °-^) 

= ag ((a**a 0 )Z'f xrCei) y “ r '~ r3 / a r *~ cX 

= {a^- c a^- c y“ r ^la^ = (a*)^- c aS 1 V^/a? P *“ cX * 
= [a Xi y i ^- c a r 0 lii ~ t(r2 ~ cX) y uri ~ r3 = (a Ii ) fll$i “ c a^ i “ <(ii2 ' cX) |/“ fll “ fi3 
= (a Xi ) bl a c 0 +bl ~ t( ' c+bl)t y b 2 = ( a Xi ) bl y b 2 = di (mod n) 

4 = Ty~ cXn fg S3 = /grz-ce^ 

= g “ ri ~ r3 = g “ R '- R3 = g b 2 = d 2 (mod n) 

4 = = (g u ) c g ri ~ ¥lt = g ri = d 3 (mod n) 

4 = T^g Sl ~ c 2 J 1 h S4 = {h u ) c g rx ~ cet h r4 ~ cu 
= g Rl ~ cei h ri = g blBi h r 4 = d 4 (mod n) 

Thus c' = c. It’s easy to check that 

si e ±{o, i} e (^+ fc )+i 5 S2 e ±{o, i} e ( A2+fe )+ 1 i 

S3 e ±{ 0 , !}'(-:• -’O I *+!)+* S4 g ± { 0) 1 

Clearly, we also have 

Ti/T.f = Aiy w /(g“) x = A t mod n 

Therefore, the scheme is not exculpable. 

Remark 2 : The authors [ 1 ] claimed that 
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First note that due to Corollary 2, GM does not get any information 
about a user’s secret Xi apart from a Xi . Thus, the value Xi is computa- 
tionally hidden from GM. Next note that T) , T 2 , and T3 are an uncon- 
ditionally binding commitments to Aj and e,. One can show that, if the 
factorization of n would be publicly known, the interactive proof under- 
lying the group signature scheme is a proof of knowledge of the discrete 
log of A^/ao (provided that £ p is larger than twice to output length of 
the hash function / size of the challenges). Hence, not even the group 
manager can sign on behalf of Pi because computing discrete logarithms 
is assumed to be infeasible. 

But by the above attack, GM is not forced to know a user’s secret x t even that 
Ti,T 2 , and I3 are an unconditionally binding commitments to A, and e,;. We 
should stress that the likes of the above induction are not sound, though they 
are prevalent in some so-called security proofs. 

4 Conclusion 

In this paper we show that ACJT group signature scheme is insecure. The attack 
introduced in the paper will be helpful for researching group signature schemes 
in the future. Incidently, the fair E-cash system [8] directly based on ACJT fails. 
But it seems that the attack does not apply to the extensions of ACJT proposed 
in [9]. The extension proposed in [10] appears to resist the attack at the cost of 
the presence of a trusted third party. 
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